10-08-2008 04:00 AM
Hi.i want to connect from xp client to PIX via L2TP IPsec connection but i cant.this is my network.
PIX:
outside = 15.15.15.1 /24
inside = 10.10.10.1/24
XP client = 15.15.15.2 (connected to ASA outside interface)
PIX config:
!!!!!!!!
PIX Version 7.2(3)
!
hostname pixfirewall
enable password xxx
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 15.x.x.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
access-list tr1 extended permit ip 10.10.10.0 255.255.255.0 17.17.17.0 255.255.
55.0
access-list tr2 extended permit ip 10.10.10.0 255.255.255.0 17.17.17.0 255.255.
55.0
access-list l2tp extended permit udp any any eq 1701
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool vpn 17.17.17.2-17.17.17.10
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list tr1
access-group l2tp in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ipsec esp-3des esp-md5-hmac
crypto dynamic-map dy 1 set transform-set ipsec
crypto map cry 1 ipsec-isakmp dynamic dy
crypto map cry interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy sevan internal
group-policy sevan attributes
vpn-tunnel-protocol l2tp-ipsec
username sevan password xxx
username sevan attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group sevan type ipsec-ra
tunnel-group sevan general-attributes
address-pool vpn
default-group-policy sevan
tunnel-group sevan ipsec-attributes
pre-shared-key *
tunnel-group sevan ppp-attributes
no authentication chap
authentication ms-chap-v2
prompt hostname context
Cryptochecksum:xxx
: end
in the Xp client i have configured vpn connection correctly according examples that i found in Cisco documents.
when i try to connect from xp client nothing happens i turn debuging on and i get this errors:
Oct 07 12:04:51 [IKEv1]: Group = 15.15.15.2, IP = 15.15.15.2, Can't
find a valid tunnel group, aborting...!
Oct 07 12:04:51 [IKEv1]: Group = 15.15.15.2, IP = 15.15.15.2, Removing peer from
peer table failed, no match!
Oct 07 12:04:51 [IKEv1]: Group = 15.15.15.2, IP = 15.15.15.2, Error: Unable to r
emove PeerTblEntry
Oct 07 12:04:52 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n
ext payload = 4)
Oct 07 12:04:54 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n
ext payload = 4)
Oct 07 12:04:58 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n
ext payload = 4)
Oct 07 12:05:06 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n
ext payload = 4)
please help me to find the problem! thanks
Solved! Go to Solution.
10-12-2008 12:41 PM
I would advise something similar. But instead of doing "no vpn-tunnel-protocol l2tp-ipsec", you can also put the command
"vpn-tunnel-protocol l2tp-ipsec" in both the concerned group-policy and the DefaultRAGroup tunnel-group. Just make sure you don't break any of your other VPNs. See this for more details:
http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=001767
Regards
Farrukh
10-08-2008 07:43 AM
Hi,
Having just had a brief look over this I can see on thing I believe is wrong and would explain why you are getting those errors.
Your tunnel group entry is set as "tunnel-group sevan" but it will be trying to match the tunnel group by IP address. Configure it so that it says "tunnel-group 15.15.15.2 ....." and then config as before.
See if that works.
10-09-2008 12:36 AM
I don't think you can use non-default names/IPs for tunnel-groups on the ASA/PIX for L2TP. Have a look at this example:
Quote: "Use only the default tunnel group and default group policy on the Cisco PIX/ASA. User-defined policies and groups do not work."
Regards
Farrukh
10-12-2008 05:18 AM
thanks HAPPS!
i did what you said! i mean now im using default policy-group and default tunnel group and this is my new configuration except the remote host witch now he is trying to connect to asa from interface inside not outside with ip address 10.10.10.2!
hostname ASA
domain-name default.domain.invalid
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 15.15.15.1 255.255.255.0
!
interface Ethernet1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn-pool 17.17.17.2-17.17.17.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image flash:/asdm-522.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:0
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:
timeout uauth 0:05:00 absolute
http server enable
http 10.10.10.2 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map inside_dyn_map 20 set pfs
crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username sevan password aJ14Sk3KwgO9M8m92qRtjw== nt-encrypted privilege 15
username sevan attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
prompt hostname context
Cryptochecksum:9e6c4bc1952087f9f7a18075a6461617
: end
now again i cant connect over l2tp from my client but now i get another debug message when i try to connect
ASA(config)# Oct 12 16:42:33 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, T
unnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Oct 12 16:42:33 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Removing peer
from peer table failed, no match!
Oct 12 16:42:33 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Error: Unable
to remove PeerTblEntry
Oct 12 16:42:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Tunnel Rejecte
d: Conflicting protocols specified by tunnel-group and group-policy
Oct 12 16:42:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Removing peer
from peer table failed, no match!
Oct 12 16:42:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Error: Unable
to remove PeerTblEntry
10-12-2008 09:37 AM
I had a similar issue once, I think I had the same debug output as you. I solved it by resetting the vpn tunnel protocol in DefaultRAGroup to default value. I don't know why this worked, but it did...
Try typing this:
group-policy DefaultRAGroup attributes
no vpn-tunnel-protocol l2tp-ipsec
10-12-2008 12:41 PM
I would advise something similar. But instead of doing "no vpn-tunnel-protocol l2tp-ipsec", you can also put the command
"vpn-tunnel-protocol l2tp-ipsec" in both the concerned group-policy and the DefaultRAGroup tunnel-group. Just make sure you don't break any of your other VPNs. See this for more details:
http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=001767
Regards
Farrukh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide