Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Template VPN L2TP setup on ASA 5505 not working 1

Status
Not open for further replies.

xylax

MIS
Oct 14, 2005
31
US
After finding out that PPTP does not work on ASAs, I'm forced to use L2TP over IPSec. I'm configuring an ASA in a lab and have a machine connected to the outside interface. I copied Cisco's L2TP setup config from their site, but it does not work. I've done some research and found others find the config not working for them too.

I'm using Cisco VPN 5.0 to connect. I can get to ask for a userid and password but fails without error on the client side.

Below is the configuration and the error log of when I try to connect. Any help is appreciated.

/////////////////////////////////////////////////
////////////// Configuration //////////////
/////////////////////////////////////////////////

ASA Version 7.2(3)
!
hostname testASA
domain-name default.domain.invalid
enable password N7FecZuSHJlVZC2P encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 172.16.1.1 255.255.255.0
!
interface Ethernet0/0
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 2
!
passwd N7FecZuSHJlVZC2P encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.1.0 255.255.255.0
access-list outside_cryptomap_dyn_20 extended permit udp 10.1.1.0 255.255.255.0 eq isakmp any
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool IPPOOL 10.1.2.2-10.1.2.126 mask 255.255.255.128
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.16.1.100 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 216.106.93.62 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 match address nonat
crypto dynamic-map Outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 20 ipsec-isakmp dynamic Outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.1.20
vpn-tunnel-protocol IPSec l2tp-ipsec
username test123 password 274Y4GRAbNElaCoV encrypted
username test123 attributes
vpn-group-policy DefaultRAGroup
username test password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 15
username test attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool IPPOOL
authorization-server-group LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
prompt hostname context
Cryptochecksum:5352a43a8af59cd365d19d49467a3aa0
: end

\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\\\\\\ Error Logs \\\\\\\\
\\\\\\\\\\\\\\\\\\\\\\\\\\\\
NOTE: I'm only pasting close to where the issues start. I'm doing the following debugs:
debug crypto isakmp 7
debug crypto ipsec 7
debug l2tp

---------------------------
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Obtained IP addr (10.1.2.2) prior to initiating Mode Cfg (XAuth enabled)
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Sending subnet mask (255.255.255.128) to remote client
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Assigned private IP address 10.1.2.2 to remote user
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing blank hash payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Send Client Browser Proxy Attributes!
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Send Cisco Smartcard Removal Disconnect enable!!
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing qm hash payload
Feb 26 09:24:24 [IKEv1]: IP = 172.16.1.100, IKE_DECODE SENDING Message (msgid=1989090a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 178
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, PHASE 1 COMPLETED
Feb 26 09:24:24 [IKEv1]: IP = 172.16.1.100, Keep-alive type for this connection: DPD
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Starting P1 rekey timer: 82080 seconds.
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, sending notify message
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing blank hash payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing qm hash payload
Feb 26 09:24:24 [IKEv1]: IP = 172.16.1.100, IKE_DECODE SENDING Message (msgid=3618c090) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
Feb 26 09:24:24 [IKEv1]: IP = 172.16.1.100, IKE_DECODE RECEIVED Message (msgid=f9219dc1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1022
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, processing hash payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, processing SA payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, processing nonce payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, processing ID payload
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Received remote Proxy Host data in ID Payload: Address 10.1.2.2, Protocol 0, Port 0
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, processing ID payload
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, QM IsRekeyed old sa not found by addr
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.1.2.2/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, sending notify message
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing blank hash payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing qm hash payload
Feb 26 09:24:24 [IKEv1]: IP = 172.16.1.100, IKE_DECODE SENDING Message (msgid=e2586eb5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 1076
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, QM FSM error (P2 struct &0x1b14980, mess id 0xf9219dc1)!
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, IKE QM Responder FSM error history (struct &0x1b14980) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, sending delete/delete with reason message
Feb 26 09:24:24 [IKEv1]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, Removing peer from correlator table failed, no match!
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, IKE SA AM:a8a23bbf rcv'd Terminate: state AM_ACTIVE flags 0x0841c041, refcnt 1, tuncnt 0
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, IKE SA AM:a8a23bbf terminating: flags 0x0941c001, refcnt 0, tuncnt 0
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, sending delete/delete with reason message
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing blank hash payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing IKE delete payload
Feb 26 09:24:24 [IKEv1 DEBUG]: Group = DefaultRAGroup, Username = test123, IP = 172.16.1.100, constructing qm hash payload
Feb 26 09:24:24 [IKEv1]: IP = 172.16.1.100, IKE_DECODE SENDING Message (msgid=bdc13a9a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Feb 26 09:24:24 [IKEv1]: IP = 172.16.1.100, Received encrypted packet with no matching SA, dropping




Shon
Network Administrator
 
no matching crypto map entry for remote proxy 10.1.2.2/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
This is your problem. I believe it is with your match address nonat. Try this:
Code:
clear config access-list outside_cryptomap_dyn_20

access-list outside_cryptomap_dyn_20 extended permit ip any 10.1.2.0 255.255.255.0

crypto dynamic-map Outside_dyn_map 20 match address outside_cryptomap_dyn_20

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Yup, that did it! Thanks!

Shon
Network Administrator
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top