Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

unable to make l2tp /IPsec connection


I have done a VPN using L2TP, the remote access from a windows 2000

client to a cisco router IOS3640 is working well.

Now i want to do L2TP/IPSec but i'm in trouble with it.

You can find in this message a topology of my network, a config of

windows2000 and a config sample of cisco3640

when i use debug with cisco 3640, i have no error (no messages about


Can someone help me?

I have as server cisco 3640 router with (C3640-JK8O3S-M), Version

12.2(10a)RELEASE SOFTWARE (fc1)

And a client microsoft windows 2000.

Here the TOPOLOGY:


<---------------Tunnel L2TP/IPSec-------------->

Here what i did in windows 2000 client:

1)add the correct value in the registery

2)i have created IPSec Policy for use with L2TP/IPSec using a preshare


3)Assign it (OK it is running)

-->First, by using the Cisco VPN client


Client Type:Windows,WinNT

when i try to connect, i have an error message "remote pair is no longer responding" and the following debug

1 09:30:41.315 07/23/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to

2 09:30:46.322 07/23/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to

3 09:30:51.329 07/23/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to

4 09:30:56.336 07/23/02 Sev=Warning/2 IKE/0xE300007B

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

5 09:30:56.336 07/23/02 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "" because of "DEL_REASON_PEER_NOT_RESPONDING"

6 09:30:56.336 07/23/02 Sev=Info/5 CM/0x63100029

Initializing CVPNDrv

7 09:30:56.386 07/23/02 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).

8 09:30:57.388 07/23/02 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

-->secondly, i have used the client included in microsoft windows 2000pro.

If i use L2TP only, it work

If if i enable the policy that i have created for IPsec, it doesn't work (but no message error, just saying cannot reach the host)

The configuration sample of cisco 3640:

sh run


hostname DGE_Router


username xxxxxxxx password 0 xxxxxxxx

vpdn enable


vpdn-group TT

! Default L2TP VPDN group


protocol l2tp

virtual-template 1

no l2tp tunnel authentication



crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 500

crypto isakmp key ciscokey address



crypto ipsec transform-set myset esp-des ah-md5-hmac


crypto map mymap local-address serial1/0

crypto map mymap 10 ipsec-isakmp

set peer

!where the address of the microsoft 2000 client

set transform-set myset

match address 110


interface Ethernet0/1

description LAN

ip address

ip accounting output-packets

ip nat inside

ip pim dense-mode


ipx encapsulation SAP

ipx network 10000010


interface Serial1/0

description Permanent Internet access

ip address

ip access-group IAIN in

ip access-group IAOUT out

ip nat outside

ip inspect INTERNET out

ip audit AUDITIE in

no cdp enable

crypto map mymap


interface Virtual-Template1

ip unnumbered Serial1/0

peer default ip address pool vpn

ppp authentication chap


interface Ethernet1/1

ip address

ip nat outside



ip local pool vpn

ip nat translation timeout 1200

ip nat inside source list IANAT interface Loopback0 overload

ip nat inside source static

ip nat inside source static

ip nat inside source static

ip nat inside source static

ip nat inside source static

ip nat inside source static

ip classless

ip route Serial1/0

ip route Serial0/0

ip route Serial0/0

ip route Virtual-Template1

ip route Serial0/0

ip route Ethernet0/0

no ip http server

ip pim bidir-enable



ip access-list extended IAIN

remark Control Access from Internet (input)

permit icmp any host

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any host-unreachable

permit icmp any any host-unknown

permit icmp any any time-exceeded

permit udp any any eq ntp log

permit tcp any host 195.65.xx.xx eq smtp






permit udp any host eq 1701

permit udp any eq isakmp host

deny ip any any log


ip access-list extended IANAT

remark Control NAT for Internet Access

deny ip any---





deny ip any any log

ip access-list extended IAOUT

remark Control Access to Internet (output)

deny ip any

permit icmp any---





permit udp host any eq 1701

permit udp host any eq isakmp

deny ip any any log

access-list 110 permit ip host host

thanks by advance for your help.


New Member

Re: unable to make l2tp /IPsec connection


In your access-list "IAIN" and "IAOUT" , I have seen you opened UDP 1701 for L2TP, and also UDP 500 for ISAKMP.

But where is the permit for IPSEC ? IPSEC using protocol ESP and AH, protocol number is 50 and 51. Please allow them in the both access-lists.

permit 50 host any

permit 51 host any

It should be working fine.

Best Regards,

New Member

Re: unable to make l2tp /IPsec connection

Hi there,

it is necessary to allow IPSec traffic in ACL. But without doing this you shall still be able to bring up a tunnel since ISAKMP is allowed. Also the log of Cisco client is not reporting any messages of IKE negotiation going on.

The IPSec config in router looks more like for Lan-to-lan than for client. A client config shall look like

crypto isakmp client configuration group 3000client

key cisco123




pool ippool

Go read this article for more information:

Hope it helps.

Good luck.


New Member

Re: unable to make l2tp /IPsec connection

Hi i did this but my problem doesn't solve my problem.

i have tried to configure my cisco 3640 router to connect to a client windows 2000 (not LAN to LAN)

but i cannot write the following command:

crypto isakmp client configuration group

I have the following version:

IOS (tm) 3600 Software (C3640-JK8O3S-M), Version 12.2(10a), RELEASE SOFTWARE (fc1)

I know that this feature doesn't include this command and that i would need

a version 12.2.4T

But here is another problem cause this version need too much flash and ram memory.

As i need IPX/FW/IPSec, i took the ENTERPRISE IPX/FW/IPSec

This feature needs 32 of flash (i have only 16) and 96 of RAM (i have only 64)

So i can't use the function of easy vpn include in feature 12.2(4)T

So now my question is:

Is there an other possibility to make a client to router connection without a such command?

here is my topology:| WIN2Kclient¦-------------------¦cisco3640 |---------

Tunnel L2TP/IPsec between and

Dialup connection between win2K(public IP ) and cisco3640 (public IP

thanks by advance

New Member

Re: unable to make l2tp /IPsec connection

I guess I misunderstood your situation somehow. If your intention is to run L2TP over IPSec, then you do not need the command:

crypto isakmp client configuration group

(Note that this command is also required for all Cisco Unity Client connections, not just EZ VPN).

What you need is a feature called L2TP Security, an integrition of L2TP and IPSec, which is fist introduced in 12.2(4)T. Following article introduces the feature and how to use it.

But you still need 12.2(4)T, so either upgrade your flash/memory, or trim down your image like remove ENTERPRISE.

Hope it helps.


CreatePlease login to create content