Currently our VPN connection uses the cisco vpn client which works fine for people running x32bit. But I need to setup l2tp-ipsec for connections with people running windows xp x64bit. Cisco does not provide a vpn client for x64bit for Windows XP.
I've tried setting this is up via this document and I have not have any luck. I get an error 789. The L2TP connection attempt failed because the security layer encountered a processing error during initial negotitations with the remote computer.
Here is my config of what I think is relevant. Is there something I have configured improperly? Or am I configuring the Microsoft VPN client incorrectly.
access-list l2tp_splitTunnelAcl standard permit 172.23.1.0 255.255.255.0
access-list l2tp_splitTunnelAcl standard permit 172.22.1.0 255.255.255.0
group-policy l2tp internal
group-policy l2tp attributes
dns-server value 172.22.1.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value l2tp_splitTunnelAcl
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 120 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 140 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 160 set transform-set TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
group-delimiter @
tunnel-group DefaultRAGroup general-attributes
address-pool Hairping
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool nomad
authentication-server-group RemAuth
authorization-server-group RemAuth
default-group-policy Employees
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias Nomad enable
tunnel-group emps type ipsec-ra
tunnel-group emps general-attributes
address-pool nomad
authentication-server-group RemAuth LOCAL
default-group-policy Employees
tunnel-group emps ipsec-attributes
pre-shared-key *
tunnel-group emps ppp-attributes
authentication ms-chap-v2
tunnel-group l2tp type ipsec-ra
tunnel-group l2tp general-attributes
address-pool Hairping
default-group-policy l2tp
strip-group
tunnel-group l2tp ipsec-attributes
pre-shared-key *
tunnel-group l2tp ppp-attributes
authentication ms-chap-v2
I've tried setting this is up via this document and I have not have any luck. I get an error 789. The L2TP connection attempt failed because the security layer encountered a processing error during initial negotitations with the remote computer.
Here is my config of what I think is relevant. Is there something I have configured improperly? Or am I configuring the Microsoft VPN client incorrectly.
access-list l2tp_splitTunnelAcl standard permit 172.23.1.0 255.255.255.0
access-list l2tp_splitTunnelAcl standard permit 172.22.1.0 255.255.255.0
group-policy l2tp internal
group-policy l2tp attributes
dns-server value 172.22.1.10
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value l2tp_splitTunnelAcl
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 80 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 100 set transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map outside_dyn_map 120 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 140 set transform-set TRANS_ESP_DES_SHA
crypto dynamic-map outside_dyn_map 160 set transform-set TRANS_ESP_DES_MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
group-delimiter @
tunnel-group DefaultRAGroup general-attributes
address-pool Hairping
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool nomad
authentication-server-group RemAuth
authorization-server-group RemAuth
default-group-policy Employees
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-alias Nomad enable
tunnel-group emps type ipsec-ra
tunnel-group emps general-attributes
address-pool nomad
authentication-server-group RemAuth LOCAL
default-group-policy Employees
tunnel-group emps ipsec-attributes
pre-shared-key *
tunnel-group emps ppp-attributes
authentication ms-chap-v2
tunnel-group l2tp type ipsec-ra
tunnel-group l2tp general-attributes
address-pool Hairping
default-group-policy l2tp
strip-group
tunnel-group l2tp ipsec-attributes
pre-shared-key *
tunnel-group l2tp ppp-attributes
authentication ms-chap-v2
