Ammerpasvision
Technical User
Hello,
Dispite the fact that i am already bald, I would have been pulling my hair out over the last two days of struggeling with this issue.
We have a Zywall 300 USG at the office, and i want to connect with my macbook pro via l2tp over ipsec.
After a lot of trial and error and several user guides i have been able to setup the l2tp account.
However i cannot get this to work, we have a Cisco 876 connected to our DSL, behind the cisco there is the Zywall USG 300 that functions as the vpn server and firewall.
The cisco876 has a static route forwarding all traffic from its ethernet 192.168.1.1 to the wan port of the zywall 192.168.1.2
When i connect my laptop directly to the WAN port of the Zywall the VPN build up withouth a hitch, however when i try to connecto from the outside it gives me the error:
Phase 2 local policy mismatch and no proposal chosen.
I suspect there is something wrong with the config of the cisco 876, however i am not a cisco expert.
So could somebody please have a look at my config and see if i maybe missed the obvious.
Thanks in advance!
Ammer
Building configuration...
Current configuration : 2363 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname pasvision_cisco_876
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone GMT 1
clock summer-time GMT date Mar 30 2002 1:00 Oct 26 2035 1:59
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name pasvisionsbs
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxx
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN-interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static 192.168.1.2 interface Dialer0
!
access-list 23 remark TTY security
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 remark Routit
access-list 23 permit 213.144.0.0 0.0.255.255
access-list 23 permit 172.31.255.0 0.0.0.255
access-list 101 remark .-. ACL voor de nat netwerken
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Dispite the fact that i am already bald, I would have been pulling my hair out over the last two days of struggeling with this issue.
We have a Zywall 300 USG at the office, and i want to connect with my macbook pro via l2tp over ipsec.
After a lot of trial and error and several user guides i have been able to setup the l2tp account.
However i cannot get this to work, we have a Cisco 876 connected to our DSL, behind the cisco there is the Zywall USG 300 that functions as the vpn server and firewall.
The cisco876 has a static route forwarding all traffic from its ethernet 192.168.1.1 to the wan port of the zywall 192.168.1.2
When i connect my laptop directly to the WAN port of the Zywall the VPN build up withouth a hitch, however when i try to connecto from the outside it gives me the error:
Phase 2 local policy mismatch and no proposal chosen.
I suspect there is something wrong with the config of the cisco 876, however i am not a cisco expert.
So could somebody please have a look at my config and see if i maybe missed the obvious.
Thanks in advance!
Ammer
Building configuration...
Current configuration : 2363 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname pasvision_cisco_876
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone GMT 1
clock summer-time GMT date Mar 30 2002 1:00 Oct 26 2035 1:59
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name pasvisionsbs
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username xxxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxx
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN-interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source static 192.168.1.2 interface Dialer0
!
access-list 23 remark TTY security
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 remark Routit
access-list 23 permit 213.144.0.0 0.0.255.255
access-list 23 permit 172.31.255.0 0.0.0.255
access-list 101 remark .-. ACL voor de nat netwerken
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end