Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

Working config for L2TP/IPSec (Windows-IOSrouter) wanted

Hi!

Does anybody have working configuration for L2TP/IPSec between Windows 2003 and IOS router (12.4(11)T4)?

I set it up, IKE works well, IPSec tunnel is established, L2TP start negotiating the vpdn session, but everything stops at ms-chap authentication: it seems the router doesn't see the replay from Windows (Windows ppp.log indicates it does send Configure-Ack). Eventually the connection times out with Error=734.

un 30 18:27:51.763 MSD: AAA/BIND(00000017): Bind i/f

Jun 30 18:27:51.767 MSD: AAA/BIND(00000017): Bind i/f Virtual-Template2

Jun 30 18:27:51.767 MSD: ppp20 PPP: Send Message[Dynamic Bind Response]

Jun 30 18:27:51.767 MSD: ppp20 PPP: Using vpn set call direction

Jun 30 18:27:51.767 MSD: ppp20 PPP: Treating connection as a callin

Jun 30 18:27:51.767 MSD: ppp20 PPP: Session handle[CB00001A] Session id[20]

Jun 30 18:27:51.767 MSD: ppp20 PPP: Phase is ESTABLISHING, Passive Open

Jun 30 18:27:51.767 MSD: ppp20 LCP: State is Listen

Jun 30 18:27:53.775 MSD: ppp20 LCP: Timeout: State Listen

Jun 30 18:27:53.775 MSD: ppp20 PPP: Authorization required

Jun 30 18:27:53.775 MSD: ppp20 LCP: O CONFREQ [Listen] id 1 len 15

Jun 30 18:27:53.775 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)

Jun 30 18:27:53.775 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)

Jun 30 18:27:55.791 MSD: ppp20 LCP: Timeout: State REQsent

Jun 30 18:27:55.791 MSD: ppp20 LCP: O CONFREQ [REQsent] id 2 len 15

Jun 30 18:27:55.791 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)

Jun 30 18:27:55.791 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)

Jun 30 18:27:57.807 MSD: ppp20 LCP: Timeout: State REQsent

...

The relevant parts of the config:

aaa new-model

!

aaa authentication ppp L2TP local

aaa authorization network L2TP local

!

vpdn enable

vpdn logging

!

vpdn-group 1

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 2

l2tp security crypto-profile L2TP-PROF

no l2tp tunnel authentication

l2tp tunnel password 7

!

username l2tp password xxx

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth

!

crypto ipsec transform-set l2tp-tr1 esp-3des esp-sha-hmac

mode transport require

crypto ipsec transform-set l2tp-tr2 esp-3des esp-md5-hmac

mode transport require

!

crypto map L2TP-MAP 10 ipsec-isakmp profile L2TP-PROF

set transform-set l2tp-tr1 l2tp-tr2

!

interface FastEthernet0/0

ip address 10.3.1.1 255.255.255.0

crypto map L2TP-MAP

!

interface FastEthernet0/1

ip address 172.16.1.1 255.255.255.0

!

interface Virtual-Template2

ip unnumbered FastEthernet0/1

peer default ip address pool VPNPOOL

ppp authentication ms-chap ms-chap-v2 callin L2TP

ppp authorization L2TP

!

ip local pool VPNPOOL 172.16.11.1 172.16.11.254

ip route 0.0.0.0 0.0.0.0 10.3.1.30

!

...

1 REPLY
ovt Bronze
Bronze

Re: Working config for L2TP/IPSec (Windows-IOSrouter) wanted

It appears to be a bug in IOS 12.4(11)T. 12.4(19b) mainline works well.

301
Views
0
Helpful
1
Replies