L2TP VPN setup problem

[Ken09]

I'm tring to setup a L2TP vpn on a cisco 2821 router and connect from the Microsoft VPN client. The problem is it's failing on phase 1 and doesn't connect.

The bug events are:
- Hash algorithum offered does not match policy!
- atts are not acceptable. next payload is 0
- no offers accepted!
- Phase 1 SA policy not acceptable

I also have a working site to site VPN that might be conflicting.

I cannot see what the mismatch is and would appriciate any suggestions.

Thanks


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-2821
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-3g.bin
boot-end-marker
!
logging count
logging buffered 4096 debugging
logging console critical
logging monitor critical
!
aaa new-model
!
!
aaa group server radius RadiusServers
server 172.16.2.11 auth-port 1812 acct-port 1813
!
aaa authentication login default local group RadiusServers
aaa authentication login RadiusServers group RadiusServers
aaa authentication login vty_line local
aaa authentication login console_line line none
aaa authentication ppp default local group RadiusServers
aaa authentication ppp vpdn group RadiusServers
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone Eastern -5
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect max-incomplete high 4100
ip inspect max-incomplete low 4000
ip inspect one-minute high 4100
ip inspect one-minute low 4000
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW https timeout 1800
ip inspect name DMZ_LOW smtp
ip inspect name DMZ_LOW udp
ip inspect name DMZ_LOW tcp
!
ip flow-cache timeout active 1
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
no ip bootp server
no ip domain lookup
ip domain name xx.xxx
ip ssh time-out 60
vpdn enable
!
vpdn-group l2tp-vpn
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxx address xx.xx.xx.xx no-xauth
!
crypto isakmp client configuration group default
key
dns 172.16.2.11 172.16.2.2
wins 172.16.2.11 172.16.2.2
domain xx.xxx
pool VPN_Pool
acl 102
netmask 255.255.255.0
!
crypto ipsec transform-set trnsfrmset esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set ASA-IPSEC esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set trnsfrmset
reverse-route
!
crypto map clientmap client authentication list RadiusServers
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
crypto map clientmap 11 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ASA-IPSEC
match address 107
!
interface Tunnel1
no ip address
!
interface GigabitEthernet0/0
description LAN - Edge
ip address 172.16.1.2 255.255.0.0
ip access-group sdm_gigabitethernet0/0_in in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description WAN - Edge
ip address 63.236.108.70 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex full
speed 10
no mop enabled
crypto map clientmap
!
interface GigabitEthernet0/3/0
description DMZ - Edge
ip address 172.17.1.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
no negotiation auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip mroute-cache
peer default ip address pool VPN_Pool
no keepalive
ppp encrypt mppe 128 required
ppp authentication ms-chap ms-chap-v2
!
ip local pool VPN_Pool 192.168.80.1 192.168.80.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
ip route 10.1.1.0 255.255.255.252 172.16.1.1
ip route 10.1.1.4 255.255.255.252 172.16.1.5
ip route 172.17.0.0 255.255.0.0 172.16.1.1 permanent
ip route 172.20.0.0 255.255.0.0 172.16.1.1
ip route 172.25.0.0 255.255.0.0 172.16.1.1 permanent
ip route 172.26.0.0 255.255.0.0 172.16.1.1
ip route 172.27.0.0 255.255.0.0 172.16.1.1
ip route 172.28.0.0 255.255.0.0 172.16.1.1
ip route 172.29.0.0 255.255.0.0 172.16.1.1
ip route 172.30.0.0 255.255.0.0 172.16.1.1
ip route 192.168.1.0 255.255.255.0 172.16.1.1
ip route 192.168.112.0 255.255.255.0 172.16.1.5
ip route 192.168.119.0 255.255.255.0 172.16.1.5
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 172.16.2.xx 2000
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source static network 172.17.1.15 xx.xx.xx.xx /32
ip nat inside source static network 172.17.1.10 xx.xx.xx.xx /32
ip nat inside source static network 172.17.1.11 xx.xx.xx.xx /32
!
ip access-list extended sdm_gigabitethernet0/0_in
remark SDM_ACL Category=17
permit icmp any any log
permit ip any any
!
ip radius source-interface GigabitEthernet0/0
logging history errors
logging trap notifications
logging origin-id hostname
logging source-interface GigabitEthernet0/0
logging server-arp
logging 172.25.2.23
logging 172.25.55.172
access-list 1 permit any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.20.0.0 0.0.255.255 log
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=17
access-list 100 permit icmp any any log
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.25.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 xx.xx.xx.xx 0.0.0.255
access-list 101 permit ahp any host xx.xx.xx.xx
access-list 101 permit esp any host xx.xx.xx.xx
access-list 101 permit ip any 172.16.0.0 0.0.255.255
access-list 101 permit ip any 172.17.0.0 0.0.255.255
access-list 101 permit ip any 172.25.0.0 0.0.255.255
access-list 101 permit ip any 172.20.0.0 0.0.255.255
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 172.25.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.20.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.16.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.17.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip xx.xx.xx.xx 0.0.0.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.3 192.168.80.0 0.0.0.255
access-list 102 permit ip 10.1.1.4 0.0.0.3 192.168.80.0 0.0.0.255
access-list 102 permit ip 192.168.112.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 192.168.119.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.26.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.27.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.28.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.29.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 102 permit ip 172.30.0.0 0.0.255.255 192.168.80.0 0.0.0.255
access-list 105 remark SDM_ACL Category=18
access-list 105 deny ip any 192.168.80.0 0.0.0.255 log
access-list 105 deny ip any 192.168.50.0 0.0.0.255
access-list 105 permit ip any any log
access-list 107 remark SDM_ACL Category=4
access-list 107 permit ip 172.16.0.0 0.0.255.255 192.168.50.0 0.0.0.255
access-list 109 deny ip any any log
access-list 110 permit udp 172.17.0.0 0.0.255.255 any eq domain
access-list 144 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 150 permit udp any host xx.xx.xx.xx eq isakmp
access-list 150 permit udp any host xx.xx.xx.xx eq non500-isakmp
access-list 170 permit ip 192.168.50.0 0.0.0.255 172.16.0.0 0.0.255.255
snmp-server community xxxxxx RW
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 105

 

[Ken09]

I figured out what I was doing wrong to cause this error.

Thanks!

 

[Ken09]

Looks like I didn't figure out the problem.

I had added the line
crypto isakmp key xxxxxxx address 0.0.0.0

Which allowed my phase one to complete using this key in the MS Client. Now it's not getting past phase 2.

I think my config might be a mixup of different config methods. Not Sure