Cisco Support Community
Community Member

Problem w L2TP/IPSEC vpn on ISR 1941


I am trying to configure L2TP/IPSEC vpn on my 1941 router but without any luck. Easy VPN and ANyconnect are configured and work very well, but with L2TP no luck. Here is my config. When I try to connect from Windows 7 machine it gives the following

Feb 15 06:43:00.095: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer       Id:

Feb 15 06:43:35.195: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer       Id:

What can be the problem?

aaa authentication login default local

aaa authentication login un-aaa local

aaa authentication login SSLVPN-LOGIN group ldap

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network un-aaa local

vpdn enable


vpdn-group L2TP

! Default L2TP VPDN group


  protocol l2tp

  virtual-template 2

no l2tp tunnel authentication

ip pmtu

ip mtu adjust

crypto vpn anyconnect flash0:/webvpn/anyconnect-win-3.1.04059-k9.pkg sequence 1


crypto vpn anyconnect flash0:/webvpn/anyconnect-macosx-i386-3.1.04059-k9.pkg sequence 2


crypto vpn anyconnect flash0:/webvpn/anyconnect-linux-3.1.04059-k9.pkg sequence 3


crypto vpn anyconnect flash0:/webvpn/anyconnect-linux-64-3.1.04059-k9.pkg sequence 4


!Below is for L2TP/IPSEC

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2


!Below is for EasyVPN

crypto isakmp policy 120

encr aes 256

authentication pre-share

group 2

crypto isakmp key cisco address

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

crypto isakmp client configuration address-pool local un-easy-vpn

crypto isakmp client configuration group comp

key tr$#pol


pool un-easy-vpn


max-users 10

max-logins 2


crypto isakmp profile un-easy-vpn-profile-1

   match identity group comp

   client authentication list un-aaa

   isakmp authorization list un-aaa

   client configuration address respond

   virtual-template 120

crypto ipsec security-association idle-time 1800


crypto ipsec transform-set un-ipsec-trans esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec transform-set L2TP-TSET-AES esp-aes esp-sha-hmac

mode transport

crypto ipsec transform-set L2TP-TSET-3DES esp-3des esp-md5-hmac

mode transport



crypto ipsec profile un-ipsec-profile-1

set transform-set un-ipsec-trans

set isakmp-profile un-easy-vpn-profile-1




crypto dynamic-map L2TP-DYN-MAP 10

set nat demux

set transform-set L2TP-TSET-AES

crypto dynamic-map L2TP-DYN-MAP 20

set nat demux

set transform-set L2TP-TSET-3DES






crypto map L2TP-CMAP 10 ipsec-isakmp dynamic L2TP-DYN-MAP

interface Loopback2

ip address

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

interface Loopback120

description VPN Termination Point

ip address

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

interface GigabitEthernet0/0

description Interface to ISP

ip address

ip nat outside

ip virtual-reassembly in max-fragments 64 max-reassemblies 1024

ip virtual-reassembly out max-fragments 64 max-reassemblies 1024

ip load-sharing per-packet

zone-member security out-zone

duplex auto

speed auto

no cdp enable

crypto map L2TP-CMAP

interface Virtual-Template2

description L2TP over IPSec Template

ip unnumbered Loopback2

ip nat inside

ip virtual-reassembly in

peer default ip address pool PPTP-POOL

no keepalive

ppp mtu adaptive

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2 chap callin


interface Virtual-Template120 type tunnel

description Easy vpn

ip unnumbered Loopback120

ip nat inside

ip virtual-reassembly in

zone-member security vpn

tunnel mode ipsec ipv4

tunnel protection ipsec profile un-ipsec-profile-1

ip local pool un-easy-vpn

ip local pool SSLVPN

ip local pool un-guest-vpn

ip local pool PPTP-POOL

Thanks in advance!

CreatePlease to create content