Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
1
Replies

Working config for L2TP/IPSec (Windows-IOSrouter) wanted

ovt
Level 4
Level 4

‎06-30-2008 06:25 AM - edited ‎02-21-2020 03:47 PM

Hi!

Does anybody have working configuration for L2TP/IPSec between Windows 2003 and IOS router (12.4(11)T4)?

I set it up, IKE works well, IPSec tunnel is established, L2TP start negotiating the vpdn session, but everything stops at ms-chap authentication: it seems the router doesn't see the replay from Windows (Windows ppp.log indicates it does send Configure-Ack). Eventually the connection times out with Error=734.

un 30 18:27:51.763 MSD: AAA/BIND(00000017): Bind i/f

Jun 30 18:27:51.767 MSD: AAA/BIND(00000017): Bind i/f Virtual-Template2

Jun 30 18:27:51.767 MSD: ppp20 PPP: Send Message[Dynamic Bind Response]

Jun 30 18:27:51.767 MSD: ppp20 PPP: Using vpn set call direction

Jun 30 18:27:51.767 MSD: ppp20 PPP: Treating connection as a callin

Jun 30 18:27:51.767 MSD: ppp20 PPP: Session handle[CB00001A] Session id[20]

Jun 30 18:27:51.767 MSD: ppp20 PPP: Phase is ESTABLISHING, Passive Open

Jun 30 18:27:51.767 MSD: ppp20 LCP: State is Listen

Jun 30 18:27:53.775 MSD: ppp20 LCP: Timeout: State Listen

Jun 30 18:27:53.775 MSD: ppp20 PPP: Authorization required

Jun 30 18:27:53.775 MSD: ppp20 LCP: O CONFREQ [Listen] id 1 len 15

Jun 30 18:27:53.775 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)

Jun 30 18:27:53.775 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)

Jun 30 18:27:55.791 MSD: ppp20 LCP: Timeout: State REQsent

Jun 30 18:27:55.791 MSD: ppp20 LCP: O CONFREQ [REQsent] id 2 len 15

Jun 30 18:27:55.791 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)

Jun 30 18:27:55.791 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)

Jun 30 18:27:57.807 MSD: ppp20 LCP: Timeout: State REQsent

...

The relevant parts of the config:

aaa new-model

!

aaa authentication ppp L2TP local

aaa authorization network L2TP local

!

vpdn enable

vpdn logging

!

vpdn-group 1

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 2

l2tp security crypto-profile L2TP-PROF

no l2tp tunnel authentication

l2tp tunnel password 7

!

username l2tp password xxx

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth

!

crypto ipsec transform-set l2tp-tr1 esp-3des esp-sha-hmac

mode transport require

crypto ipsec transform-set l2tp-tr2 esp-3des esp-md5-hmac

mode transport require

!

crypto map L2TP-MAP 10 ipsec-isakmp profile L2TP-PROF

set transform-set l2tp-tr1 l2tp-tr2

!

interface FastEthernet0/0

ip address 10.3.1.1 255.255.255.0

crypto map L2TP-MAP

!

interface FastEthernet0/1

ip address 172.16.1.1 255.255.255.0

!

interface Virtual-Template2

ip unnumbered FastEthernet0/1

peer default ip address pool VPNPOOL

ppp authentication ms-chap ms-chap-v2 callin L2TP

ppp authorization L2TP

!

ip local pool VPNPOOL 172.16.11.1 172.16.11.254

ip route 0.0.0.0 0.0.0.0 10.3.1.30

!

...

Labels:
0 Helpful
1 Reply 1

ovt
Level 4
Level 4

‎07-01-2008 05:41 AM

It appears to be a bug in IOS 12.4(11)T. 12.4(19b) mainline works well.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents