Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

L2TP over IPsec with ms client doesn`t work

Hi i`ve a problem with initiating a l2tp session over ipsec from a windows client.

Here the tunnel i`ve created:

ciscoasa(config)# crypto ipsec transform-set l2tp_transform esp-3des
ciscoasa(config)# crypto ipsec transform-set l2tp_transform mode transport
ciscoasa(config)# group-policy l2tp_policy internal
ciscoasa(config)# group-policy l2tp_policy attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec
ciscoasa(config-group-policy)# tunnel-group l2tp_tunnel type ipsec-ra
ciscoasa(config)# tunnel-group l2tp_tunnel general-attributes
ciscoasa(config-tunnel-general)# default-group-policy l2tp_policy
ciscoasa(config-tunnel-general)# authentication-server-group LOCAL
ciscoasa(config-tunnel-general)# address-pool testpool
ciscoasa(config)# tunnel-group l2tp_tunnel ppp-attributes
ciscoasa(config-ppp)# authentication ms-chap-v2
ciscoasa(config)# l2tp tunnel hello 100

ciscoasa(config)# tunnel-group l2tp_tunnel ipsec-attributes

ciscoasa(config-tunnel-ipsec)# pre-shared-key XXXXXXXX

I`ve created a new user and assigned the "l2tp_policy".

Here is the log if the user tried to connect via ms client mit l2tp over ipsec:


5|Mar 18 2010|13:56:12|713904|||||IP = 10.10.10.50, Received encrypted packet with no matching SA, dropping
5|Mar 18 2010|13:55:56|713904|||||IP = 10.10.10.50, Received encrypted packet with no matching SA, dropping
6|Mar 18 2010|13:55:48|713905|||||Group = DefaultL2LGroup, IP = 10.10.10.50, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2010|13:55:48|713201|||||Group = DefaultL2LGroup, IP = 10.10.10.50, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Mar 18 2010|13:55:44|713905|||||Group = DefaultL2LGroup, IP = 10.10.10.50, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2010|13:55:44|713201|||||Group = DefaultL2LGroup, IP = 10.10.10.50, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Mar 18 2010|13:55:42|713905|||||Group = DefaultL2LGroup, IP = 10.10.10.50, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2010|13:55:42|713201|||||Group = DefaultL2LGroup, IP = 10.10.10.50, Duplicate Phase 1 packet detected.  Retransmitting last packet.
4|Mar 18 2010|13:55:41|713903|||||Group = DefaultL2LGroup, IP = 10.10.10.50, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting
6|Mar 18 2010|13:55:41|713905|||||Group = DefaultRAGroup, IP = 10.10.10.50, WARNING, had problems decrypting packet, probably due to mismatched pre-shared key.  Switching user to tunnel-group: DefaultL2LGroup
5|Mar 18 2010|13:55:41|713904|||||Group = DefaultRAGroup, IP = 10.10.10.50, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
6|Mar 18 2010|13:55:41|302015|10.10.10.50|500|10.10.10.1|500|Built inbound UDP connection 247 for outside:10.10.10.50/500 (10.10.10.50/500) to identity:10.10.10.1/500 (10.10.10.1/500)

Why the connection use DefaultRAGroup and not l2tp_tunnel i`ve created? I thing i missed some important thing.

23 REPLIES
Community Member

Re: L2TP over IPsec with ms client doesn`t work

Ok phase completed succesfuly but phase 2 has a problem:

4|Mar 18 2010|15:48:52|113019|||||Group = DefaultRAGroup, Username = , IP = 10.10.10.50, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Mar 18 2010|15:48:52|713259|||||Group = DefaultRAGroup, IP = 10.10.10.50, Session is being torn down. Reason: Phase 2 Mismatch
3|Mar 18 2010|15:48:52|713902|||||Group = DefaultRAGroup, IP = 10.10.10.50, Removing peer from correlator table failed, no match!
3|Mar 18 2010|15:48:52|713902|||||Group = DefaultRAGroup, IP = 10.10.10.50, QM FSM error (P2 struct &0x744062b0, mess id 0xe11cb94c)!
5|Mar 18 2010|15:48:52|713904|||||Group = DefaultRAGroup, IP = 10.10.10.50, All IPSec SA proposals found unacceptable!
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
3|Mar 18 2010|15:48:52|713122|||||IP = 10.10.10.50, Keep-alives configured on but peer does not support keep-alives (type = None)
5|Mar 18 2010|15:48:52|713119|||||Group = DefaultRAGroup, IP = 10.10.10.50, PHASE 1 COMPLETED
6|Mar 18 2010|15:48:52|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup
6|Mar 18 2010|15:48:52|713172|||||Group = DefaultRAGroup, IP = 10.10.10.50, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Any suggestions ?

Community Member

Re: L2TP over IPsec with ms client doesn`t work

I have and still have the same problem. There are some good advice here.

https://supportforums.cisco.com/message/3025667;jsessionid=3B3CC0AEAABEEF18F6620BD0E528E093.node0

That would get you thru phase 1 and 2. Unfortunatly I'm still not getting it to work properly even so but at least I'm a little closer now than I was last week.

/Måns

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

Seems to be mismatched on ipsec encapsulation mode, ie: configured as tunnel mode, but client sends transport mode.

Can you please share the latest configuration. Thanks.

Community Member

Re: L2TP over IPsec with ms client doesn`t work

It`s now working for me but i can only connect with one user. If i try to connect with another user with the same policy in the log i see this:

AAA user authentication Rejected : reason = Invalid password : local database: user = testing2

But the user exist and i have reset the password many times. Why user "testing" working and user "testing2" not? Need urgent help. i`m running out of time.

which configuration from the config you need? I`ll post you quickly.

Thanks and regards

Community Member

Re: L2TP over IPsec with ms client doesn`t work

Delete the entire user "Testing2" and recreate it. Then try again.

If that doesnt work check to see if the user is in the right place, has the right level of access etc.

HTH,

Stan

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

1) sh run all tunnel-group

2) sh run all group-policy

3) Once you are connected with 1 user, grab: "show vpn-sessiondb remote filter name testing"

4) Assuming it's local database: sh run username

Thanks.

Community Member

Re: L2TP over IPsec with ms client doesn`t work

With the Users its working now. I forgot to set nt-encrypted by creating the user.

But I have more VPN Policys with diffrent ip ranges. At the moment i`m only able to connect to one cpnnection profile. If i want to test another profile its not working. See attached logs.

I have one transformset, is that right?

See all logs you want attched. Also crypto.

Community Member

Re: L2TP over IPsec with ms client doesn`t work

and here

Community Member

Re: L2TP over IPsec with ms client doesn`t work

Ok, strange. If i create with ASDM wizard a new l2pt tunnel with a new policy and a new user. Than the connection working fine. But the connection i created before did not work anymore.

Only the the new connection i have created is working and the other connections show me the "Duplicate Phase 1 packet detected.  Retransmitting last packet." message.

What ist this ?

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

Don't think you can configure different tunnel-group for different L2TP over IPSec groups as you can't specify the group name on the L2TP over IPSec client to connect to a particular group, therefore, you will always be connecting to the default group: DefaultRAGroup.

As you can see from the "sh vpn-sessiondb remote filter name Cust10003_1" that you have obtained, the tunnel-group that it falls into is "DefaultRAGroup", and when you created it through asdm wizard, it asked you to create a group-policy, therefore it is assigned to group-policy "Cust10003_tunnel" (the last one that you created).

If you look back at the tunnel-group configuration that you have before you created the l2tp over ipsec via the asdm wizard, the default group-policy assignment for default tunnel-group "DefaultRAGroup" is set to default group-policy "DfltGrpPolicy"

As per the following sample configuration, you can only use the default tunnel-group for L2TP over IPSec VPN:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

Community Member

Re: L2TP over IPsec with ms client doesn`t work

Ok, i have now assigned one connection profile for l2tp connections and assigned different group policys with other ip pools to the users and thats working.

If i now want to use the cisco vpn client do i need to create another connection profile or how is the right way?

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

With Cisco IPSec VPN Client, you can be specific with the tunnel-group and group-policy because the client uses group name to connect and the group name is the tunnel-group that you create on the ASA.

Community Member

Re: L2TP over IPsec with ms client doesn`t work

ok now the asa is live. Everything is working fine only l2tp did not work. Phase1 completed and then i got this:

Group = DefaultRAGroup, IP = , Session is being torn down. Reason: crypto map policy not found

I can`t find the issue :-( Cisco VPN Client working fine. IPSEC tunnel also only l2tp.... help

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

Within the crypto map configuration, do you have 2 dynamic map configured? One with tunnel mode for the IPSEC client, and another one with transport mode for the L2TP over IPSEC?

Community Member

Re: L2TP over IPsec with ms client doesn`t work

Within the crypto map i have configured one static and one dynamic, created automaticaly if i create a l2tp tunnel with asdm. The static is for the ipsec tunnel...

do you need some configuration from the running config?

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

"show run crypto map" and "show run crypto ipsec" would help. Thanks.

Community Member

Re: L2TP over IPsec with ms client doesn`t work

crypto map IPSECTEST_map0 1 match address IPSECTEST_cryptomap
crypto map IPSECTEST_map0 1 set peer
crypto map IPSECTEST_map0 1 set transform-set ESP-3DES-SHA l2tp_transform
crypto map IPSECTEST_map0 1 set phase1-mode aggressive
crypto map IPSECTEST_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IPSECTEST_map0 interface outside

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set l2tp_transform esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp_transform mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

Sorry, and also "show run crypto dynamic-map" please.

Community Member

Re: L2TP over IPsec with ms client doesn`t work

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

and look at your PM

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

Add this:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65500 set transform-set TRANS_ESP_3DES_SHA

It should work now.

Community Member

Re: L2TP over IPsec with ms client doesn`t work

sadly not

5|Mar 21 2010|02:06:32|713904|||||IP = 94.218.140.41, Received encrypted packet with no matching SA, dropping
5|Mar 21 2010|02:06:22|713904|||||IP = 94.218.140.41, Received encrypted packet with no matching SA, dropping
4|Mar 21 2010|02:06:14|106023|92.40.190.57|32287|172.16.4.10|445|Deny tcp src outside:92.40.190.57/32287 dst Cust10004:172.16.4.10/445 by access-group "global_access" [0x0, 0x0]
5|Mar 21 2010|02:06:05|713904|||||IP = 94.218.140.41, Received encrypted packet with no matching SA, dropping
4|Mar 21 2010|02:06:05|113019|||||Group = DefaultRAGroup, Username = , IP = 94.218.140.41, Session disconnected. Session Type: IKE, Duration: 0h:00m:17s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
5|Mar 21 2010|02:06:05|713259|||||Group = DefaultRAGroup, IP = 94.218.140.41, Session is being torn down. Reason: Lost Service
3|Mar 21 2010|02:06:05|713902|||||Group = DefaultRAGroup, IP = 94.218.140.41, Removing peer from correlator table failed, no match!
3|Mar 21 2010|02:06:05|713902|||||Group = DefaultRAGroup, IP = 94.218.140.41, QM FSM error (P2 struct &0x74794300, mess id 0x1)!
5|Mar 21 2010|02:05:57|713201|||||Group = DefaultRAGroup, IP = 94.218.140.41, Duplicate Phase 2 packet detected.  Retransmitting last packet.
5|Mar 21 2010|02:05:53|713201|||||Group = DefaultRAGroup, IP = 94.218.140.41, Duplicate Phase 2 packet detected.  Retransmitting last packet.
5|Mar 21 2010|02:05:50|713201|||||Group = DefaultRAGroup, IP = 94.218.140.41, Duplicate Phase 2 packet detected.  Retransmitting last packet.
6|Mar 21 2010|02:05:48|302015|192.168.178.12|4500|185.188.25.2|4500|Built outbound UDP connection 2585 for outside:192.168.178.12/4500 (192.168.178.12/4500) to identity:185.188.25.2/4500 (185.188.25.2/4500)
3|Mar 21 2010|02:05:48|713122|||||IP = 94.218.140.41, Keep-alives configured on but peer does not support keep-alives (type = None)
5|Mar 21 2010|02:05:48|713119|||||Group = DefaultRAGroup, IP = 94.218.140.41, PHASE 1 COMPLETED
6|Mar 21 2010|02:05:48|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup
6|Mar 21 2010|02:05:48|713172|||||Group = DefaultRAGroup, IP = 94.218.140.41, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
6|Mar 21 2010|02:05:48|302015|94.218.140.41|4500|185.188.25.2|4500|Built inbound UDP connection 2584 for outside:94.218.140.41/4500 (94.218.140.41/4500) to identity:185.188.25.2/4500 (185.188.25.2/4500)
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 21 2010|02:05:48|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
6|Mar 21 2010|02:05:48|302015|94.218.140.41|500|185.188.25.2|500|Built inbound UDP connection 2583 for outside:94.218.140.41/500 (94.218.140.41/500) to identity:185.188.25.2/500 (185.188.25.2/500)

Community Member

Re: L2TP over IPsec with ms client doesn`t work

Do you still have any other suggestions / tips / hints?

Cisco Employee

Re: L2TP over IPsec with ms client doesn`t work

Mmmm...

Maybe try this:

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65500 set transform-set TRANS_ESP_3DES_SHA

no crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

Then, clear all the SAs and ISAKMPs and log all users out:

vpn-sessiondb logoff remote

6518
Views
0
Helpful
23
Replies
CreatePlease to create content