cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1014
Views
0
Helpful
0
Replies

ASA 5512X + Mikrotick RB433UAH connect via L2TP+IPsec

Andry WTF
Level 1
Level 1

Hello all!

I can't connect Mikrotick RB433UAH (running latest RouterOS 6.3) as L2TP VPN Client to my ASA5512x (running 8.6(1)2).

Microtik connected to public network via gsm modem.

MACoS, Windows Pcs, iOS and Android smartphones connect without any doubts as L2TP VPN clients.

Microtik configuration (vpn regarding part):

[admin@Linux] >
ip ipsec peer print
Flags: X - disabled
0 * address=XX.XX.XX.XX/32 passive=no port=500 auth-method=pre-shared-key secret="XXXXXX"
     generate-policy=port-override exchange-mode=main send-initial-contact=yes
     nat-traversal=yes hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d
     dpd-interval=2m dpd-maximum-failures=5

ip ipsec proposal print
Flags: X - disabled, * - default
0  * name="default" auth-algorithms=md5,sha1,null
      enc-algorithms=null,des,3des,aes-128,aes-192,aes-256 lifetime=30m pfs-group=modp1024

interface l2tp-client print
Flags: X - disabled, R - running
0 *  name="l2tp-out1" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=XX.XX.XX.XX
      user="XXXXXX" password="XXXXXXXX" profile=default-encryption keepalive-timeout=60
      add-default-route=yes default-route-distance=1 dial-on-demand=no
      allow=pap,chap,mschap1,mschap2

ASA configuration (vpn regarding part):

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSPORT esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSPORT mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANSPORT esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANSPORT mode transport
crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-MD5 ESP-3DES-SHA  ESP-3DES-SHA-TRANSPORT ESP-3DES-MD5-TRANSPORT
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map INTERNET_map 100 match address Crypto_ACL_to_Office
crypto map INTERNET_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INTERNET_map interface INTERNET
crypto isakmp nat-traversal 60
crypto ikev1 enable INTERNET
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh 192.168.77.0 255.255.255.0 INSIDE
ssh 192.168.200.8 255.255.255.252 INSIDE
ssh 192.168.70.115 255.255.255.255 INSIDE
ssh timeout 60
console timeout 0
dhcprelay server 192.168.70.13 INSIDE
dhcprelay enable WAN
dhcprelay enable REST
dhcprelay timeout 60
priority-queue SIPTRUNKS
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 1 md5 *****
ntp trusted-key 1
ntp server 192.168.200.1 key 1
tftp-server INSIDE 192.168.70.115 CC-ASA5512.cfg
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value 192.168.70.1
dhcp-network-scope 192.168.111.1
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value domain.local
intercept-dhcp enable
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
password-storage enable
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
dns-server value 192.168.70.1
dhcp-network-scope 192.168.111.1
vpn-simultaneous-logins 50
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value domain.local
intercept-dhcp 255.255.255.255 enable
group-policy L2LVPN internal
group-policy L2LVPN attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1
group-policy L2TP internal
group-policy L2TP attributes
dns-server value 192.168.70.1
vpn-simultaneous-logins 50
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value domain.local
intercept-dhcp 255.255.255.255 enable
username 1312312 password 213123 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool CC_VPN_POOL
authentication-server-group LDAP_domain
default-group-policy L2TP
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group USER_VPN_ACCESS type remote-access
tunnel-group USER_VPN_ACCESS general-attributes
address-pool CC_VPN_POOL
authentication-server-group LDAP_Domain
default-group-policy NoAccess
dhcp-server 192.168.70.13
dhcp-server link-selection 192.168.200.9
tunnel-group USER_VPN_ACCESS ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group USER_VPN_ACCESS ppp-attributes
authentication ms-chap-v2
tunnel-group VV.VV.VV.VV type ipsec-l2l
tunnel-group VV.VV.VV.VV general-attributes
default-group-policy L2LVPN
tunnel-group VV.VV.VV.VV ipsec-attributes
ikev1 pre-shared-key *****
!
class-map VoIP
description High Priority for VoIP
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map VoIP_QoS
class VoIP
  priority
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
policy-map sip_policy
class inspection_default
  inspect sip
!
service-policy global_policy global
service-policy VoIP_QoS interface SIP101
service-policy VoIP_QoS interface SIP102
service-policy VoIP_QoS interface SIP2460
prompt hostname context
no call-home reporting anonymous

ASA logs (with l2tp, ike, ha debugs enabled): http://pastebin.com/qrRQCfiG

Microtik logs: http://pastebin.com/ZEstEwWK

(ASA public ip was replaced as XX.XX.XX.XX and Microtik public ip was replaced as YY.YY.YY.YY)

Also, in Microtic's logs i see weird message:

03:51:25 l2tp,debug,packet rcvd control message from XX.XX.XX.XX:1701

03:51:25 l2tp,debug,packet     tunnel-id=81, session-id=0, ns=0, nr=1

03:51:25 l2tp,debug,packet     (M) Message-Type=StopCCN

03:51:25 l2tp,debug,packet     (M) Result-Code=2

03:51:25 l2tp,debug,packet         Error-Code=0

03:51:25 l2tp,debug,packet         Error-Message="No cc config for Linux"

03:51:25 l2tp,debug,packet     (M) Assigned-Tunnel-ID=23497

What does it mean?

Thanks you in advance!

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: