Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

L2TP/IPSec on Cisco IOS 15

   I am trying to configure an L2TP/IPSec remote access VPN on a Cisco 2901. I'm using what is pretty much a copy/paste of a config that is working just fine on an older router (a 2811). However, it seems I'm missing something - I can see the IPSec negotiating properly, but the L2TP tunnel simply does not trigger after that (there is no L2TP-related output).

   See below for the final lines of the debug (I didn't post the entire debug to save space, but I can do that if you believe it is necessary).Notice that the phase 2 SAs come up, and then... there's only silence

     The other end of the connection is a laptop with Win7 x64, on which I get error 809 ("The connection could not be established because the remote server is not responding").

     The router (2901) is running IOS 15.4(1)T. As far as I know, there is no packet filtering between the client and the server. And with very little documentation on Cisco's website regarding L2TP on IOS, I'm at a loss.

     Can anyone point me in the right direction?

     Thank you!

lab#sh deb

L2TP:

  L2TP packet events debugging is on

  L2TP packet errors debugging is on

  L2TP errors debugging is on

  L2TP events debugging is on

  L2TP L2TUN socket API debugging is on

  L2TP application debugs debugging is on

VPN:

  L2TP/PPTP control packet debugging is on

  VPDN call event debugging is on

  VPDN events debugging is on

Cryptographic Subsystem:

  Crypto ISAKMP debugging is on

  Crypto IPSEC debugging is on

Dec 16 16:31:59.628 EET: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 10.1.120.100:0, remote= 192.168.13.232:0,

    local_proxy= 10.1.120.100/255.255.255.255/17/1701,

    remote_proxy= 192.168.13.232/255.255.255.255/17/1701,

    protocol= ESP, transform= NONE  (Transport),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Dec 16 16:32:00.264 EET: (ipsec_process_proposal)Map Accepted: CM_DYN_L2TP_IPSEC, 10

Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing NONCE payload. message ID = 1

Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing ID payload. message ID = 1

Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing ID payload. message ID = 1

Dec 16 16:32:00.264 EET: ISAKMP:(1019):QM Responder gets spi

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_IPSEC_INSTALL_AWAIT

Dec 16 16:32:00.268 EET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 16 16:32:00.268 EET: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CM_DYN_L2TP_IPSEC, 10

Dec 16 16:32:00.268 EET: IPSEC(create_sa): sa created,

  (sa) sa_dest= 10.1.120.100, sa_proto= 50,

    sa_spi= 0xE4F4E622(3841254946),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2063

    sa_lifetime(k/sec)= (250000/3600),

  (identity) local= 10.1.120.100:0, remote= 192.168.13.232:0,

    local_proxy= 10.1.120.100/255.255.255.255/17/1701,

    remote_proxy= 192.168.13.232/255.255.255.255/17/1701

Dec 16 16:32:00.268 EET: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.168.13.232, sa_proto= 50,

    sa_spi= 0xA3E0AD04(2749410564),

    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2064

    sa_lifetime(k/sec)= (250000/3600),

  (identity) local= 10.1.120.100:0, remote= 192.168.13.232:0,

    local_proxy= 10.1.120.100/255.255.255.255/17/1701,

    remote_proxy= 192.168.13.232/255.255.255.255/17/1701

Dec 16 16:32:00.268 EET:  ISAKMP: Failed to find peer index node to update peer_info_list

Dec 16 16:32:00.268 EET: ISAKMP:(1019):Received IPSec Install callback... proceeding with the negotiation

Dec 16 16:32:00.276 EET: ISAKMP:(1019): sending packet to 192.168.13.232 my_port 500 peer_port 500 (R) QM_IDLE     

Dec 16 16:32:00.276 EET: ISAKMP:(1019):Sending an IKE IPv4 Packet.

Dec 16 16:32:00.280 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

Dec 16 16:32:00.280 EET: ISAKMP:(1019):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2

Dec 16 16:32:00.284 EET: ISAKMP (1019): received packet from 192.168.13.232 dport 500 sport 500 Global (R) QM_IDLE     

Dec 16 16:32:00.284 EET: ISAKMP:(1019):deleting node 1 error FALSE reason "QM done (await)"

Dec 16 16:32:00.284 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Dec 16 16:32:00.284 EET: ISAKMP:(1019):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

virt-gw.lab#

Dec 16 16:32:00.284 EET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 16 16:32:00.284 EET: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Dec 16 16:32:00.284 EET: IPSEC: Expand action denied, notify RP

4 REPLIES
Community Member

L2TP/IPSec on Cisco IOS 15

I've just hit this too. I had config that was working fine on IOS15 (on a 1941) about a year ago, I come to try it again now and...

nada. Nothing. IPSEC comes up just fine but as for anything above it, no debug output whatsoever and I also see the same 809 error from Windows.

Will let you know if I figure it out...

Community Member

L2TP/IPSec on Cisco IOS 15

Okay almost as quickly as I've asked it, i've answered it (in my case):

I had this:

crypto dynamic-map l2tp-map 10

set nat demux

set transform-set ts-main

So I changed it to:

crypto dynamic-map l2tp-map 10

set transform-set ts-main

As there was no NAT involved in my setup any more, having the "set nat demux" statement in there broke it.

L2TP/IPSec on Cisco IOS 15

Thanks Matthew that solved my issue.

Community Member

L2TP/IPSec on Cisco IOS 15

Thanks for sharing this with us, it helped me!

1716
Views
0
Helpful
4
Replies
CreatePlease to create content