Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
0
Helpful
3
Replies

L2TP Over IPSec on ASA

Jack Dixon
Level 1
Level 1

‎09-25-2009 06:32 AM - edited ‎02-21-2020 04:20 PM

Am unable to establish tunnel to ASA from Microsoft client using L2TP-Over-IPSec. ASA log shows port 1701 being discarded on Outside interface - even though ACL is there to permit.

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Yudong Wu
Level 7
Level 7

‎09-25-2009 08:03 AM

It looks like your client is using L2TP directly instead of using L2tp-over-IPsec. On asa, you can check the ipsec status by "show crypto isa sa" and "show crypto ipsec sa". If there is no any output, it indicates that your client did not initiate IPSec at all. You need check your client's configuration.

0 Helpful

Jack Dixon
Level 1
Level 1
In response to Yudong Wu

‎09-25-2009 08:55 AM

Yes, I am not getting any output from either of those two show commands, which made me realize that the client was not getting anywhere! However, when I look at the Real-Time ASA log, it shows that the ASA Outside interface is discarding the packets coming from the client on UDP port 1701. That would suggest that the client is initiating the IPSec tunnel, but it isn't being processed by the ASA. The XP client screen indicates that I have "L2TP IPSec VPN" selected. Is there another way to verify that the client is really sending L2TP-Over-IPSec?

Thanks,

jack

0 Helpful

Yudong Wu
Level 7
Level 7
In response to Jack Dixon

‎09-25-2009 09:06 AM

You can enable "debug crypto isakmp" to see if there is any output when client initiate the l2tp-over-ipsec connection.

Since it's L2tp-over-Ipsec, IPSEc must be up first.

Here is the sample config and debug output for your ref.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807213a7.shtml

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents