06-30-2008 06:25 AM - edited 02-21-2020 03:47 PM
Hi!
Does anybody have working configuration for L2TP/IPSec between Windows 2003 and IOS router (12.4(11)T4)?
I set it up, IKE works well, IPSec tunnel is established, L2TP start negotiating the vpdn session, but everything stops at ms-chap authentication: it seems the router doesn't see the replay from Windows (Windows ppp.log indicates it does send Configure-Ack). Eventually the connection times out with Error=734.
un 30 18:27:51.763 MSD: AAA/BIND(00000017): Bind i/f
Jun 30 18:27:51.767 MSD: AAA/BIND(00000017): Bind i/f Virtual-Template2
Jun 30 18:27:51.767 MSD: ppp20 PPP: Send Message[Dynamic Bind Response]
Jun 30 18:27:51.767 MSD: ppp20 PPP: Using vpn set call direction
Jun 30 18:27:51.767 MSD: ppp20 PPP: Treating connection as a callin
Jun 30 18:27:51.767 MSD: ppp20 PPP: Session handle[CB00001A] Session id[20]
Jun 30 18:27:51.767 MSD: ppp20 PPP: Phase is ESTABLISHING, Passive Open
Jun 30 18:27:51.767 MSD: ppp20 LCP: State is Listen
Jun 30 18:27:53.775 MSD: ppp20 LCP: Timeout: State Listen
Jun 30 18:27:53.775 MSD: ppp20 PPP: Authorization required
Jun 30 18:27:53.775 MSD: ppp20 LCP: O CONFREQ [Listen] id 1 len 15
Jun 30 18:27:53.775 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)
Jun 30 18:27:53.775 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)
Jun 30 18:27:55.791 MSD: ppp20 LCP: Timeout: State REQsent
Jun 30 18:27:55.791 MSD: ppp20 LCP: O CONFREQ [REQsent] id 2 len 15
Jun 30 18:27:55.791 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)
Jun 30 18:27:55.791 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)
Jun 30 18:27:57.807 MSD: ppp20 LCP: Timeout: State REQsent
...
The relevant parts of the config:
aaa new-model
!
aaa authentication ppp L2TP local
aaa authorization network L2TP local
!
vpdn enable
vpdn logging
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
l2tp security crypto-profile L2TP-PROF
no l2tp tunnel authentication
l2tp tunnel password 7
!
username l2tp password xxx
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set l2tp-tr1 esp-3des esp-sha-hmac
mode transport require
crypto ipsec transform-set l2tp-tr2 esp-3des esp-md5-hmac
mode transport require
!
crypto map L2TP-MAP 10 ipsec-isakmp profile L2TP-PROF
set transform-set l2tp-tr1 l2tp-tr2
!
interface FastEthernet0/0
ip address 10.3.1.1 255.255.255.0
crypto map L2TP-MAP
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
!
interface Virtual-Template2
ip unnumbered FastEthernet0/1
peer default ip address pool VPNPOOL
ppp authentication ms-chap ms-chap-v2 callin L2TP
ppp authorization L2TP
!
ip local pool VPNPOOL 172.16.11.1 172.16.11.254
ip route 0.0.0.0 0.0.0.0 10.3.1.30
!
...
07-01-2008 05:41 AM
It appears to be a bug in IOS 12.4(11)T. 12.4(19b) mainline works well.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: