Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

nfe
New Member

unable to make l2tp /IPsec connection

hello,

I have done a VPN using L2TP, the remote access from a windows 2000

client to a cisco router IOS3640 is working well.

Now i want to do L2TP/IPSec but i'm in trouble with it.

You can find in this message a topology of my network, a config of

windows2000 and a config sample of cisco3640

when i use debug with cisco 3640, i have no error (no messages about

IPSec ISAKMP....)

Can someone help me?

I have as server cisco 3640 router with (C3640-JK8O3S-M), Version

12.2(10a)RELEASE SOFTWARE (fc1)

And a client microsoft windows 2000.

Here the TOPOLOGY:

Win2000---------------internet------------------router3640----------LAN

<---------------Tunnel L2TP/IPSec-------------->

Here what i did in windows 2000 client:

1)add the correct value in the registery

2)i have created IPSec Policy for use with L2TP/IPSec using a preshare

key

3)Assign it (OK it is running)

-->First, by using the Cisco VPN client

Version:3.5(Rel)

Client Type:Windows,WinNT

when i try to connect, i have an error message "remote pair is no longer responding" and the following debug

1 09:30:41.315 07/23/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 164.128.74.150

2 09:30:46.322 07/23/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 164.128.74.150

3 09:30:51.329 07/23/02 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 164.128.74.150

4 09:30:56.336 07/23/02 Sev=Warning/2 IKE/0xE300007B

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

5 09:30:56.336 07/23/02 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "164.128.74.150" because of "DEL_REASON_PEER_NOT_RESPONDING"

6 09:30:56.336 07/23/02 Sev=Info/5 CM/0x63100029

Initializing CVPNDrv

7 09:30:56.386 07/23/02 Sev=Warning/3 DIALER/0xE3300015

GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).

8 09:30:57.388 07/23/02 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

-->secondly, i have used the client included in microsoft windows 2000pro.

If i use L2TP only, it work

If if i enable the policy that i have created for IPsec, it doesn't work (but no message error, just saying cannot reach the host)

The configuration sample of cisco 3640:

sh run

!

hostname DGE_Router

!

username xxxxxxxx password 0 xxxxxxxx

vpdn enable

!

vpdn-group TT

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 500

crypto isakmp key ciscokey address 164.128.78.10

!

!

crypto ipsec transform-set myset esp-des ah-md5-hmac

!

crypto map mymap local-address serial1/0

crypto map mymap 10 ipsec-isakmp

set peer 164.128.78.10

!where 164.128.78.10is the address of the microsoft 2000 client

set transform-set myset

match address 110

!

interface Ethernet0/1

description LAN

ip address 10.10.4.1 255.255.0.0

ip accounting output-packets

ip nat inside

ip pim dense-mode

full-duplex

ipx encapsulation SAP

ipx network 10000010

!

interface Serial1/0

description Permanent Internet access

ip address 164.128.70.150 255.255.255.252

ip access-group IAIN in

ip access-group IAOUT out

ip nat outside

ip inspect INTERNET out

ip audit AUDITIE in

no cdp enable

crypto map mymap

!

interface Virtual-Template1

ip unnumbered Serial1/0

peer default ip address pool vpn

ppp authentication chap

!

interface Ethernet1/1

ip address 195.65.xxx.xxx 255.255.255.240

ip nat outside

half-duplex

!

ip local pool vpn 192.168.2.1 192.168.2.10

ip nat translation timeout 1200

ip nat inside source list IANAT interface Loopback0 overload

ip nat inside source static 10.10.10.171 195.65.xx.xxx

ip nat inside source static 10.10.10.128 195.65.xxx.xxx

ip nat inside source static 172.20.2.1 195.65.xxx.xxx

ip nat inside source static 10.10.2.2 195.65.xxx.xxx

ip nat inside source static 10.10.2.3 195.65.xxx.xxx

ip nat inside source static 164.128.74.150 164.128.70.150

ip classless

ip route 0.0.0.0 0.0.0.0 Serial1/0

ip route 10.20.0.0 255.255.0.0 Serial0/0

ip route 10.30.0.0 255.255.0.0 Serial0/0

ip route 164.128.0.0 255.255.255.252 Virtual-Template1

ip route 172.16.6.0 255.255.255.0 Serial0/0

ip route 192.168.1.0 255.255.255.0 Ethernet0/0

no ip http server

ip pim bidir-enable

!

!

ip access-list extended IAIN

remark Control Access from Internet (input)

permit icmp any host 164.128.70.150

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any host-unreachable

permit icmp any any host-unknown

permit icmp any any time-exceeded

permit udp any any eq ntp log

permit tcp any host 195.65.xx.xx eq smtp

---

---

etc

---

---

permit udp any host 164.128.70.150 eq 1701

permit udp any eq isakmp host 164.128.70.150

deny ip any any log

!

ip access-list extended IANAT

remark Control NAT for Internet Access

deny ip 195.65.xxx.xxx 0.0.0.31 any---

---

etc

---

---

deny ip any any log

ip access-list extended IAOUT

remark Control Access to Internet (output)

deny ip 10.0.0.0 0.255.255.255 any

permit icmp 195.65.xxx.xxx 0.0.0.31 any---

---

etc

---

---

permit udp host 164.128.70.150 any eq 1701

permit udp host 164.128.70.150 any eq isakmp

deny ip any any log

access-list 110 permit ip host 164.128.70.150 host 164.128.78.10

thanks by advance for your help.

Nicolas

4 REPLIES
New Member

Re: unable to make l2tp /IPsec connection

Hi,

In your access-list "IAIN" and "IAOUT" , I have seen you opened UDP 1701 for L2TP, and also UDP 500 for ISAKMP.

But where is the permit for IPSEC ? IPSEC using protocol ESP and AH, protocol number is 50 and 51. Please allow them in the both access-lists.

permit 50 host 164.128.70.150 any

permit 51 host 164.128.70.150 any

It should be working fine.

Best Regards,

New Member

Re: unable to make l2tp /IPsec connection

Hi there,

it is necessary to allow IPSec traffic in ACL. But without doing this you shall still be able to bring up a tunnel since ISAKMP is allowed. Also the log of Cisco client is not reporting any messages of IKE negotiation going on.

The IPSec config in router looks more like for Lan-to-lan than for client. A client config shall look like

crypto isakmp client configuration group 3000client

key cisco123

dns 10.10.10.10

wins 10.10.10.20

domain cisco.com

pool ippool

Go read this article for more information:

http://www.cisco.com/warp/public/471/ipsecrouter_vpn.html

Hope it helps.

Good luck.

Fan

nfe
New Member

Re: unable to make l2tp /IPsec connection

Hi i did this but my problem doesn't solve my problem.

i have tried to configure my cisco 3640 router to connect to a client windows 2000 (not LAN to LAN)

but i cannot write the following command:

crypto isakmp client configuration group

I have the following version:

IOS (tm) 3600 Software (C3640-JK8O3S-M), Version 12.2(10a), RELEASE SOFTWARE (fc1)

I know that this feature doesn't include this command and that i would need

a version 12.2.4T

But here is another problem cause this version need too much flash and ram memory.

As i need IPX/FW/IPSec, i took the ENTERPRISE IPX/FW/IPSec

This feature needs 32 of flash (i have only 16) and 96 of RAM (i have only 64)

So i can't use the function of easy vpn include in feature 12.2(4)T

So now my question is:

Is there an other possibility to make a client to router connection without a such command?

here is my topology:

172.10.16.1-------| WIN2Kclient¦-------------------¦cisco3640 |---------172.10.16.10

Tunnel L2TP/IPsec between 172.10.16.1 and 172.10.16.10

Dialup connection between win2K(public IP 162.128.79.110 ) and cisco3640 (public IP 162.128.74.150)

thanks by advance

New Member

Re: unable to make l2tp /IPsec connection

I guess I misunderstood your situation somehow. If your intention is to run L2TP over IPSec, then you do not need the command:

crypto isakmp client configuration group

(Note that this command is also required for all Cisco Unity Client connections, not just EZ VPN).

What you need is a feature called L2TP Security, an integrition of L2TP and IPSec, which is fist introduced in 12.2(4)T. Following article introduces the feature and how to use it.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftl2tsec.htm

But you still need 12.2(4)T, so either upgrade your flash/memory, or trim down your image like remove ENTERPRISE.

Hope it helps.

Fan

128
Views
0
Helpful
4
Replies
CreatePlease login to create content