Trying to connect to a L2TP over IPSec VPN
There are quite a few threads on here about VPN's and Lion, and clearly quite a number of questions. However, I haven't found one that quite addresses the problem I've got and I've now exhausted all my ideas and am looking for help...
I have a hardware VPN server that I know is working correctly. I normally have it setup so that all connections have to be L2TP over IPSec, but currently also have PPTP connections enabled.
At the moment I can do the following:
Connect to it from a machine running Windows 7 using all methods
Connect to it from a machine running Snow Leopard using the in built PPTP and L2TP over IPSec network configurations
Connect to it from a machine running Lion using the in built PPTP network configuration
Connect to it from a machine running Lion using Equinux's VPN Tracker 6
What I can't do is connect to it from a machine running Lion using L2TP over IPSec using the network configuration
I have tried a clean install of Lion and entering the connections. I have tried using an install of Snow Leopard that works and then upgrading it. I just cannot get it to work.
Looking at the logs on both the VPN server and my machine I can see that the IPSec connection is established but then my client says that it cannot connect to the server whilst my server is saying that CHAP login has failed.
I have been through all of the potential solutions I can find on here or the wider internet, no matter how unlikely they seem to be to my problem. I've ensured that there are no potential firewall issues. I've also tried every setting I can think of on both my client and the server. I've tried changing secrets and passwords, including reducing their length, ensuring nothing like Back to My Mac can interfere, and even starting up in 32 bit mode.
I've now exhausted my ideas. Does anybody have any ideas, a potential solution or managed to get this to work?
My connection is set up to use a shared secret and a password.
I am trying to set up connection to PureVPN for security purposes and have followed their config settings for my Macbook.
So how do I check the ports on my machine, as I'm sure it's not a problem at their end. I only have one machine so don't understand how it is possible to see if ports are being blocked at my end.
Do I run that /var/log/ppp.log in Terminal?
Similar Messages
-
Is it possible configurate split-tunnel at l2tp over ipsec vpn at asa
Dear i want to know is it possibly to configurate split-tunnel at l2tp over ipsec vpn at asa???
thanks.please help me.
-
Configurate L2tp over ipsec vpn at ASA
Hi dear i want to configurate L2tp over ipsec vpn at asa. my asa behind nat device(nat device is router).
is it working?thanks to reply me.
i have a transfor set for ipsec vpn client. yes you are rigth i have same sequence dynamic map. which one i changed? and then what about crytpto map? how i do it? please write to me how to do at my configuration??
i have real working network i confused to test it. please write me how to do it.
thanks. -
Dear All,
I have configured L2TP over IPSec VPN in my Cisco ASA 5520 for windows vpn client.
my client pool range is 192.168.15.0-192.168.15.50 255.255.255.192
my internal nw range 10.138.78.0/24,10.138.79.0/24
Now I want to know What access list I need to configure for that?What port I need to open for the same?
Access-list is configured in my ASA for inbound traffic in the outside interface only.I want to give full access to the VPN client.
Plz guide me in this issue..It will be very helpful if u send the sample L2TP over IPSec VPN configuration.
Regards,
somHope this helps.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml -
ASA 5505 - L2TP over IPsec - Remote Address shows outside interface address
Using an ASA 5505 for firewall and VPN. We've enabled L2TP over IPsec to allow Windows clients to connect without third party software.
The devices complete the connection and authenticate fine, but then are unable to hit any internal resources. Split tunneling seems to be working, as they can still hit outside resources. Packet tracer shows tcp flowing freely between VPN clients (192.168.102.0/24) and internal resources (192.168.100.0/24). Even the NAT translation looks good in packet tracer.
I pulled up the session details for one of the VPN clients in the ASDM and under the IPsecOverNatT details, it is showing the VPN client's remote address correctly, but displays the local address as the address assigned to the outside interface (which the client is using to connect.) This seems to be the problem, as viewing detailed connection logs shows the internal resources trying to send packets back to the outside interface rather than the VPN client's assigned internal addresses. Details:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: [OUTSIDE INTERFACE ADDRESS]
local ident (addr/mask/prot/port): ([OUTSIDE INTERFACE ADDRESS]/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): ([VPN CLIENT ADDRESS]/255.255.255.255/17/0)
current_peer: [VPN CLIENT ADDRESS], username: vpnuser
dynamic allocated peer ip: 192.168.102.1 [This is what I think it should be showing for local ident]
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: [OUTSIDE INTERFACE ADDRESS]/4500, remote crypto endpt.: [VPN CLIENT ADDRESS]/8248
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 05BFAE20
current inbound spi : CF85B895
inbound esp sas:
spi: 0xCF85B895 (3481647253)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373998/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000FFFFD
outbound esp sas:
spi: 0x05BFAE20 (96448032)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 77824, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4373999/3591)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Any ideas? The remote clients connect but when internal resources try to send traffic to the VPN clients, the packets are directed to the outside interface address instead of the local address assigned to the VPN client.I have what I believe to be a similar issue. Site to site vpn is working well. That is site b can ping and send traffic to site A but Site A can not. Site B is a 3rd party vpn router. Site A is a Cisco 5505.
It appears that when the crypto map inserts the route into the routing table it shows the route via the outside IP of the outside interface and not the IP of Site B. in the crypto map I can see the proper ip address for the peer. I can't figure out why when it inserts the route that it uses the wrong ip address -
L2TP over IPSEC Static NAT trouble
I have a 5510 that i have configured for L2TP over IPSEC, not using AnyConnect. As of right now i have two open issues that i cannot figure out. The first, and most prevelant being, VPN clients are unable to ping/access any of the hosts that are assigned a static NAT from the inside interface to the outside interface. I was able to circumvent this by adding another static NAT to the public interface for the incoming clients, but this caused intermittent connectivity issues with inside hosts.
The second issue involves DNS. I have configured two DNS servers, both of which reside on the internal network and are in the split_tunnel ACL for VPN clients, but no clients are using this DNS. What is the workaround for using split tunneling AND internal DNS servers, if any?
I'm looking for any help someone might be able to give as i've had two different CCNA's look at this numerous times to no avail. The config is below.
To sum up, and put this in perspective i need to be able to do the following...
VPN CLIENT (10.1.50.x) -> splitTunnel -> int G0/2 (COMCAST_PUBLIC) -> int G0/3(outside)(10.1.4.x) -> STATIC NAT from G0/0(inside)(10.103.x.x) -> NAT (10.1.4.x)
A ping from a VPN client to any internal host works fine, unless it is one that is NAT'd. You can see in the config where i added the extra STATIC NAT to try and fix the issue. And this works perfectly across the tunnel but only intermittenly from the internal 10.1.4.x network.
As well as any help with DNS. Please advise, thank you.
-tony
: Saved
ASA Version 8.2(1)
hostname fw-01
enable password HOB2xUbkoBliqazl encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.103.6.0 K2CONT description K2 Control Network
name 10.103.5.0 K2FTP description K2 FTP Network
name 10.103.1.0 NET description Internal Network Core Subnet
name 10.1.4.0 WBND description WBND Business Network
name 178.3.200.173 WCIU-INEWS0 description WCIU iNEWS Server
name 178.3.200.174 WCIU-INEWS1 description WCIU iNEWS Server
name 10.103.2.50 ENG-PC description Engineering PC
name 10.103.2.56 NAV-PC description Navigator PC
name 10.103.2.77 PF-SVR-01 description Pathfire Server 01
name 69.55.236.230 RTISVR description "Rootlike Technologies, Inc. Server"
name 69.55.236.228 RTISVR1 description "Rootlike Technologies, Inc. Server"
name 10.103.2.0 GEN-NET description General Broadcast Network
name 10.103.4.0 INEWS-NET description INEWS Network
name 10.103.4.84 INEWS0 description WBND iNEWS Server 0
name 10.103.4.85 INEWS1 description WBND iNEWS Server 1
name 10.103.3.0 TELE-NET description TELEMETRICS Network
name 10.1.4.22 NAT-INEWS0 description "Public NAT address of iNEWS server 0"
name 10.1.4.23 NAT-INEWS1 description "Public NAT address of iNEWS server 1"
name 10.1.4.20 NAT-K2-FTP0 description "Public NAT address of K2 FTP Server 0"
name 10.1.4.21 NAT-K2-FTP1 description "Public NAT address of K2 FTP Server 0"
name 10.103.4.80 MOSGW description "MOS Gateway."
name 10.1.4.24 NAT-MOSGW description "Public NAT address of MOS Gateway."
name 10.103.2.74 PF-DUB-01 description PathFire Dub Workstation
name 209.118.74.10 PF-EXT-0 description PF External Server 0
name 209.118.74.19 PF-EXT-1 description PF External Server 1
name 209.118.74.26 PF-EXT-2 description PF External Server 2
name 209.118.74.80 PF-EXT-3 description PF External Server 3
name 10.103.4.37 PIXPWR description Pixel Power System 0
name 10.1.4.26 NAT-PIXPWR description "Public NAT address of PixelPower System 0"
name 10.103.4.121 ignite
name 10.103.3.89 telemetrics
name 10.1.4.50 vpn_3000
name 10.103.5.4 K2-FTP0 description K2 FTP Server 0
name 10.103.5.5 K2-FTP1 description K2 FTP Server 1
name 10.1.4.40 NAT-ENG-PC description Engineering HP
name 10.103.2.107 ENG-NAS description ENG-NAS-6TB
name 10.1.1.0 WCIU description WCIU
name 178.3.200.0 WCIU_Broadcast description WCIU_Broadcast
name 10.2.1.0 A-10.2.1.0 description WCIU 2
name 10.1.50.0 VPN-POOL description VPN ACCESS
interface Ethernet0/0
description "Internal Network 10.103.1.0/24"
nameif inside
security-level 100
ip address 10.103.1.1 255.255.255.0
interface Ethernet0/1
shutdown
no nameif
security-level 0
no ip address
interface Ethernet0/2
nameif COMCAST_PUBLIC
security-level 0
ip address 173.161.x.x 255.255.255.240
interface Ethernet0/3
description "WBND Business Network 10.1.4.0/24"
nameif outside
security-level 0
ip address 10.1.4.8 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
clock timezone Indiana -4
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP-OK
description "ICMP types we want to permit."
icmp-object echo
icmp-object echo-reply
icmp-object traceroute
icmp-object unreachable
icmp-object time-exceeded
object-group network INTERNAL-ALL
description "All internal networks."
network-object NET 255.255.255.0
network-object GEN-NET 255.255.255.0
network-object TELE-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
network-object K2FTP 255.255.255.0
network-object K2CONT 255.255.255.0
object-group service W3C
description "HTTP/S"
service-object tcp eq www
service-object tcp eq https
object-group service FTP-ALL
description "FTP Active/Passive."
service-object tcp eq ftp
service-object tcp eq ftp-data
object-group service INEWS-CLI
description "Ports required for INEWS client/server communications."
service-object tcp eq telnet
service-object tcp eq login
service-object tcp eq 600
service-object tcp eq 49153
service-object tcp eq 49152
service-object tcp-udp eq 1020
service-object tcp-udp eq 1019
group-object W3C
group-object FTP-ALL
service-object tcp eq ssh
service-object tcp-udp eq 1034
service-object tcp-udp eq 1035
object-group service NET-BASE
description "Base network services required by all."
service-object tcp-udp eq 123
service-object udp eq domain
object-group network INEWS-SVR
description "iNEWS Servers."
network-object INEWS0 255.255.255.255
network-object INEWS1 255.255.255.255
object-group network WCIU-INEWS
description "iNEWS Servers at WCIU."
network-object WCIU-INEWS0 255.255.255.255
network-object WCIU-INEWS1 255.255.255.255
object-group network K2-FTP
description "K2 Servers"
network-object host K2-FTP0
network-object host K2-FTP1
object-group network PF-SYS
description Internal PathFire Systems
network-object host PF-DUB-01
network-object host PF-SVR-01
object-group network INET-ALLOWED
description "Hosts that are allowed Internet access (HTTP/FTP) and a few other basic protocols.
network-object host ENG-PC
network-object host NAV-PC
network-object host PF-SVR-01
group-object INEWS-SVR
group-object K2-FTP
group-object PF-SYS
network-object host PIXPWR
network-object K2CONT 255.255.255.0
object-group service GoToAssist
description "Port required for Citrix GoToAssist remote support sessions (along with HTTP/S)"
service-object tcp eq 8200
object-group service DM_INLINE_SERVICE_1
group-object FTP-ALL
group-object W3C
service-object tcp eq ssh
service-object tcp eq telnet
group-object GoToAssist
object-group network RTI
network-object host RTISVR1
network-object host RTISVR
object-group network NAT-K2-SVR
description "Public NAT addresses of K2 Servers."
network-object host NAT-K2-FTP0
network-object host NAT-K2-FTP1
object-group network NAT-INEWS-SVR
description "Public NAT addresses of iNEWS servers."
network-object host NAT-INEWS0
network-object host NAT-INEWS1
object-group service INEWS-SVCS
description "Ports required for iNEWS inter-server communication.
group-object INEWS-CLI
service-object tcp eq 1022
service-object tcp eq 1023
service-object tcp eq 2048
service-object tcp eq 698
service-object tcp eq 699
object-group service MOS
description "Ports used for MOS Gateway Services."
service-object tcp eq 10540
service-object tcp eq 10541
service-object tcp eq 6826
service-object tcp eq 10591
object-group network DM_INLINE_NETWORK_1
network-object host WCIU-INEWS0
network-object host WCIU-INEWS1
object-group network DM_INLINE_NETWORK_2
network-object GEN-NET 255.255.255.0
network-object INEWS-NET 255.255.255.0
object-group network PF-Svrs
description External PathfFire Servers
network-object host PF-EXT-0
network-object host PF-EXT-1
network-object host PF-EXT-2
network-object host PF-EXT-3
object-group service PF
description PathFire Services
group-object FTP-ALL
service-object tcp eq 1901
service-object tcp eq 24999
service-object udp range 6652 6654
service-object udp range 6680 6691
object-group service GVG-SDB
description "Ports required by GVG SDB Client/Server Communication."
service-object tcp eq 2000
service-object tcp eq 2001
service-object tcp eq 3000
service-object tcp eq 3001
object-group service MS-SVCS
description "Ports required for Microsoft networking."
service-object tcp-udp eq 135
service-object tcp eq 445
service-object tcp eq ldap
service-object tcp eq ldaps
service-object tcp eq 3268
service-object tcp eq 3269
service-object tcp-udp eq cifs
service-object tcp-udp eq domain
service-object tcp-udp eq kerberos
service-object tcp eq netbios-ssn
service-object udp eq kerberos
service-object udp eq netbios-ns
service-object tcp-udp eq 139
service-object udp eq netbios-dgm
service-object tcp eq cifs
service-object tcp eq kerberos
service-object udp eq cifs
service-object udp eq domain
service-object udp eq ntp
object-group service DM_INLINE_SERVICE_2
group-object MS-SVCS
group-object NET-BASE
group-object GVG-SDB
group-object W3C
object-group service DM_INLINE_SERVICE_3
group-object GVG-SDB
group-object MS-SVCS
group-object W3C
object-group service PIXEL-PWR
description "Pixel Power Services"
service-object tcp-udp eq 10250
object-group service DM_INLINE_SERVICE_4
group-object FTP-ALL
group-object GoToAssist
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
group-object MS-SVCS
service-object ip
object-group service DM_INLINE_SERVICE_5
group-object MS-SVCS
group-object NET-BASE
group-object PIXEL-PWR
group-object W3C
object-group service IG-TELE tcp-udp
port-object range 2500 49501
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object tcp
object-group network DM_INLINE_NETWORK_3
network-object host ENG-PC
network-object host NAT-ENG-PC
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object udp
protocol-object icmp
object-group network DM_INLINE_NETWORK_4
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
object-group network il2k_test
network-object 207.32.225.0 255.255.255.0
object-group network DM_INLINE_NETWORK_8
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_8
service-object ip
group-object INEWS-CLI
service-object icmp
service-object udp
object-group service DM_INLINE_SERVICE_6
service-object ip
group-object MS-SVCS
object-group network DM_INLINE_NETWORK_5
network-object WCIU 255.255.255.0
network-object WBND 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
object-group service DM_INLINE_SERVICE_7
service-object ip
service-object icmp
service-object udp
group-object INEWS-CLI
object-group network DM_INLINE_NETWORK_9
network-object host NAT-INEWS0
network-object host INEWS0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
protocol-object tcp
object-group network VPN-POOL
description "IP range assigned to dial-up IPSec VPN."
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_6
network-object WBND 255.255.255.0
network-object WCIU_Broadcast 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
network-object VPN-POOL 255.255.255.0
object-group network DM_INLINE_NETWORK_7
network-object WBND 255.255.255.0
network-object VPN-POOL 255.255.255.0
network-object A-10.2.1.0 255.255.255.0
network-object WCIU 255.255.255.0
object-group network DM_INLINE_NETWORK_10
network-object TELE-NET 255.255.255.0
network-object host ignite
access-list inbound extended permit object-group DM_INLINE_SERVICE_5 any host NAT-PIXPWR
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP1
access-list inbound extended permit object-group FTP-ALL any host NAT-K2-FTP0
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS1
access-list inbound extended permit object-group INEWS-CLI any host NAT-INEWS0
access-list inbound extended permit object-group INEWS-SVCS object-group DM_INLINE_NETWORK_1 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_SERVICE_7 object-group DM_INLINE_NETWORK_5 host NAT-INEWS1
access-list inbound extended permit object-group DM_INLINE_SERVICE_8 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_9
access-list inbound extended permit object-group MOS WBND 255.255.255.0 host NAT-MOSGW
access-list inbound extended permit icmp WBND 255.255.255.0 K2FTP 255.255.255.0 object-group ICMP-OK
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 object-group NAT-K2-SVR
access-list inbound extended permit object-group FTP-ALL WBND 255.255.255.0 K2FTP 255.255.255.0
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit icmp any any object-group ICMP-OK
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_1 host ignite host telemetrics
access-list inbound extended permit object-group MS-SVCS any WBND 255.255.255.0
access-list inbound extended permit ip any any
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_2 WBND 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list inbound extended permit object-group MS-SVCS any any
access-list inbound extended permit object-group INEWS-CLI WBND 255.255.255.0 object-group NAT-INEWS-SVR
access-list inbound extended permit object-group DM_INLINE_PROTOCOL_3 any WBND 255.255.255.0
access-list inbound extended permit ip any 173.161.x.x 255.255.255.240
access-list inbound extended permit ip any 207.32.225.0 255.255.255.0
access-list inbound extended permit ip WBND 255.255.255.0 host 70.194.x.x
access-list outbound extended deny ip object-group DM_INLINE_NETWORK_10 any
access-list outbound extended permit object-group DM_INLINE_SERVICE_4 host PIXPWR any
access-list outbound extended permit object-group INEWS-SVCS object-group INEWS-SVR object-group WCIU-INEWS
access-list outbound extended permit object-group INEWS-CLI object-group DM_INLINE_NETWORK_2 object-group WCIU-INEWS
access-list outbound extended permit object-group DM_INLINE_SERVICE_1 object-group INET-ALLOWED any
access-list outbound extended permit object-group NET-BASE object-group INTERNAL-ALL any
access-list outbound extended permit icmp any any object-group ICMP-OK
access-list outbound extended permit ip GEN-NET 255.255.255.0 any
access-list outbound extended permit ip host ignite host telemetrics
access-list outbound extended permit ip host NAV-PC host 10.103.2.18
access-list outbound extended permit ip any GEN-NET 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WBND 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit VPN-POOL 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit WCIU_Broadcast 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit A-10.2.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.1.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.3.200.0 255.255.255.0
access-list outside_nat0_outbound extended permit ip NET 255.255.255.0 object-group INTERNAL-ALL
access-list COMCAST_access_in extended permit ip any any
access-list COMCAST_PUBLIC_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging timestamp
logging buffer-size 100000
logging asdm-buffer-size 512
logging monitor notifications
logging buffered notifications
logging asdm notifications
mtu inside 1500
mtu COMCAST_PUBLIC 1500
mtu outside 1500
mtu management 1500
ip local pool VPN-POOL 10.1.50.1-10.1.50.254 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in deny ip any any
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list inside_access_ipv6_in remark "ACL denying all outbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in deny ip any any
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
ipv6 access-list outside_access_ipv6_in remark "ACL denying all inbound IPv6 traffic (and logging it)."
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any COMCAST_PUBLIC
icmp permit any echo outside
icmp permit any echo-reply outside
icmp permit any unreachable outside
no asdm history enable
arp timeout 14400
global (COMCAST_PUBLIC) 1 173.161.x.x
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 dns
static (inside,outside) NAT-K2-FTP0 K2-FTP0 netmask 255.255.255.255 dns
static (inside,outside) NAT-K2-FTP1 K2-FTP1 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS0 INEWS0 netmask 255.255.255.255 dns
static (inside,outside) NAT-INEWS1 INEWS1 netmask 255.255.255.255 dns
static (inside,outside) NAT-MOSGW MOSGW netmask 255.255.255.255 dns
static (inside,outside) NAT-PIXPWR PIXPWR netmask 255.255.255.255 dns
static (inside,outside) NAT-ENG-PC ENG-PC netmask 255.255.255.255 dns
static (inside,COMCAST_PUBLIC) 10.1.4.39 ENG-NAS netmask 255.255.255.255 dns
access-group outbound in interface inside per-user-override
access-group inside_access_ipv6_in in interface inside per-user-override
access-group outbound in interface COMCAST_PUBLIC
access-group outside_access_in in interface outside
access-group outside_access_ipv6_in in interface outside
route COMCAST_PUBLIC 0.0.0.0 0.0.0.0 173.161.x.x 1
route outside 0.0.0.0 0.0.0.0 10.1.4.1 100
route outside WCIU 255.255.255.0 10.1.4.11 1
route outside A-10.2.1.0 255.255.255.0 10.1.4.1 1
route inside 10.11.1.0 255.255.255.0 10.103.1.73 1
route inside GEN-NET 255.255.255.0 10.103.1.2 1
route inside TELE-NET 255.255.255.0 10.103.1.2 1
route inside INEWS-NET 255.255.255.0 10.103.1.2 1
route inside K2FTP 255.255.255.0 10.103.1.62 1
route inside K2CONT 255.255.255.0 10.103.1.62 1
route outside WCIU_Broadcast 255.255.255.0 10.1.4.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server DOMCON protocol radius
accounting-mode simultaneous
aaa-server DOMCON (outside) host 10.1.4.17
timeout 5
key Tr3at!Ne
acl-netmask-convert auto-detect
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http NET 255.255.255.0 inside
http GEN-NET 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set il2k-trans esp-aes-256 esp-sha-hmac
crypto ipsec transform-set il2k-transform-set esp-3des esp-sha-hmac
crypto ipsec transform-set il2k-transform-set mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set peer WBND
crypto dynamic-map dyno 10 set transform-set il2k-transform-set il2k-trans
crypto map VPN 10 ipsec-isakmp dynamic dyno
crypto map VPN interface COMCAST_PUBLIC
crypto map VPN interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp enable COMCAST_PUBLIC
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
crypto isakmp disconnect-notify
telnet timeout 5
ssh scopy enable
ssh NET 255.255.255.0 inside
ssh GEN-NET 255.255.255.0 inside
ssh VPN-POOL 255.255.255.0 COMCAST_PUBLIC
ssh 10.103.1.224 255.255.255.240 outside
ssh WBND 255.255.255.0 outside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 20
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.103.2.52 source inside prefer
webvpn
enable inside
enable outside
svc image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 1
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
group-policy DfltGrpPolicy attributes
dns-server value 10.1.4.17 10.1.1.21
vpn-simultaneous-logins 100
vpn-idle-timeout 120
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value MAINSERV
intercept-dhcp enable
address-pools value VPN-POOL
group-policy il2k internal
group-policy il2k attributes
dns-server value 10.1.4.17
vpn-tunnel-protocol l2tp-ipsec
ipsec-udp enable
username DefaultRAGroup password F1C2vupePix5SQn3t9BAZg== nt-encrypted
username tsimons password F1C2vupePix5SQn3t9BAZg== nt-encrypted privilege 15
username interlink password 4QnXXKO..Ry/9yKL encrypted
username iphone password TQrRGN4aXV4OVyavS5T/Ow== nt-encrypted
username iphone attributes
service-type remote-access
username hriczo password OSruMCto90cxZoWxHllC5A== nt-encrypted
username hriczo attributes
service-type remote-access
username cheighway password LqxYepmj5N6LE2zMU+CuPA== nt-encrypted privilege 15
username cheighway attributes
vpn-group-policy il2k
service-type admin
username jason password D8PHWEPGhNLOBxNHo0nQmQ== nt-encrypted
username roscor password jLkgabJ1qUf3hXax encrypted
username roscor attributes
service-type admin
tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
authentication-server-group DOMCON LOCAL
authentication-server-group (outside) LOCAL
authentication-server-group (inside) LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4b7c375a2b09feacdf760d10092cf73f
: endNo one? I'd be happy to provide any more info if someone needs it, i'm just looking for some sort of direction. I did almost this whole config by myself and i'm completely self-taught Cisco, so weird things like this really through me.
Please help. Thank you -
L2TP over IPSec - Can IPSec be disabled?
Hello.
I need a pure L2TP connection. Mac OS X has L2TP over IPSec by default. I went through all checkboxes and have not found the one that could disable IPSec. Do I have to do it in the Terminal? If so, what is the command?
Thanks.It can be done by editing some files, but the documention I knew about is gone, but perhaps the zipped script in this thread will give you a clue on how to do it without OSX' built in one.
http://forums.macosxhints.com/showthread.php?t=40920
There are some GUI APPs that support plain L2TP...
IPsecuritas
http://www.lobotomo.com/products/IPSecuritas/
VaporSec
http://www.afp548.com/Software/VaporSec/
VPN Tracker
http://www.equinux.com/us/products/vpntracker/index.html -
L2TP over IPSec Disconnect/Reconnect Wait Time on Astaro Gateway
Hi Folks,
We're testing out a new router, Astaro 220. This may be an issue with connecting to just this router or all of them under Leopard, I don't know. This is the first time I've ever gotten the built-in "L2TP over IPSec" to work at all so I'm too giddy to complain too much, but I found this interesting:
Under Leopard (10.5.5), we can establish a VPN connection to and through the router. But after we disconnect, we cannot see the router's public (WAN) IP address. We can see it fine from other clients and connect from them no problem. This condition lasts for about three (3) minutes when we can finally ping the router again and VPN in.
This does not occur under Tiger; we can disconnect and reconnect immediately without issue.
Anyone else ever see anything like this? Like I said, I'm too happy about having it actually work to try to tinker too much, but if there's a simple workaround to tell users (other than "please wait"), it would be great.
Thanks,
Jeff
Message was edited by: JSCooperIf anyone ever cares ... we needed to set up routes on the Astaro from the IPSec pool to the LAN. Also, had to set the client to "Send ALL traffic through the VPN" and kick DNS back to the vpn clients from the gateway to enable web access.
-
We use CISCO VPN Client for RA. Now, a special application have to work with L2TP over IPSec. First I configure as shown in http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml#win and after with VPN Wizzard. Both times I cannot connect but don t know why. Phase 1 is established and an error occured while Phase 2:
PIX|ASA-6-713177
PIX|ASA-3-713902
I tested behind and in front of an nat-device with same error. client-identity is configured for ip-address. Whats going wrong?
Is it possible to configure an ACL for port 1701? I read something like that in earlier postings but cannot believe it.
Regards
HelmutIf the user is an L2TP client that uses Microsoft CHAP version 1 or version 2, and the security appliance is configured - to authenticate against the local database, you must include the mschap keyword. For example, username password mschap.
Note tunnel-group must be the DefaultRAGroup name. -
Good day, I have a 1941 router where I manage to connect some roadwarriors using L2TP over IPSec and it works perfectly up to 15.3.2T release.
After upgrading to 15.3.3M I am unable to have L2TP over IPSec working, while pure LAN to LAN IPSec still works perfectly (I have some tunnels to branch offices).
I have performed some debugs and I can get exactly the same messagges as 15.3.2T, I have captured all the packets on my computer and while on 15.3.2T I notice normal ESP traffic after ISAKMP, on 15.3.3M I only capture ESP packets from my PC to the 1941 and not any packet from 1941 and my PC.
Both show crypto isakmp sa and show crypto ipsec sa show active SAs between my PC and the 1941 so it seems that it's not a matter of IPSec, another test I need to perform is disabling one of the two WAN interfaces and leaving enabled only the one that I want to connect to.
Did you have any similar problem and can you share any information? Thanks in advance.Hi,
how you fixed it? -
3000 series concentrator and L2TP over IPSec
All,
Anyone have any wisdom they are willing to share regarding the establishment of a L2TP over IPSec tunnel between Mac OS X and a 3000 series concentrator? I believe that the concentrator is accepted the IKE SA proposal, but I can't get any further and I'm not able to get any useful information out of the logs on either side of the tunnel. The client side simply reports that "L2TP cannot connect to the server", the concentrator reports "Connection terminated for peer". It has clearly exchanged some valid information because the concentrator has assigned the traffic to the correct group (a non-default group I've set up specially to test this connection).
Looking at the packet dump I can see the two devices exchange some information, then the client starts sending ISAKMP packets (quick mode) that the concentrator seems to ignore.
Thoughts, suggestions, anecdotes etc. are all welcome.Try to adjust SA lifetime and the max connect time in VPN concentrator.
Refer these links:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a0080094eca.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_qanda_item09186a0080094cf4.shtml -
Cisco 2811 VPN L2TP over IPSEC
Hi,
Does the cisco 2811 support L2TP over IPSEC?Check these links:
http://www.cisco.com/en/US/products/ps5854/products_data_sheets_list.html
http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd80169bd6.shtml
http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd80169bba.shtml -
Very slow Windows domain login over IPSec VPN
Hi
I'm experiencing very slow Windows domain logins over an IPSec VPN connection. The AD is in Site 1, some users are in Site 2. Two Cisco ASA firewalls connect both sites by an IPSec VPN over the Internet.
I made some registery changes on the Windows XP client on site2 to let Kerberos communicate over TCP instead of UDP. Still the logins take extremely long (45 minutes). Profiles are very small, so there had to be a problem with Kerberos, MTU sizes or somethin like that. I already changed the clients MTU settings to 1000 byes, but login is still very slow. I made some sniffer logs...
Does anybody know what the problem can be ?
Regards
RemcoHi Remco,
The most common issue with slowness over VPN is going to be fragementation. In general below are the recommendations to avoid fragmentation
1. For TCP traffic, use "ip tcp adjust-mss 1360" on the Internal LAN Interface on the Router. If you are using GRE then configure "ip mtu 1400" under the Tunnel Interface.
If you are not using GRE then the value of "ip tcp adjust-mss" depends on the type of transform-set being used E.g. AES\3DES etc, so you can increase the value of TCP adjust command from 1360 to a higher value. Though I will start from 1360 first for testing.
Also take a look at the below article for MTU Issues
http://www.cisco.com/en/US/customer/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml
Thanks,
Naman -
9.0 can a dynamic nat be used over ipsec vpn?
9.0 can a dynamic nat be used over ipsec vpn?
we have a vpn up and working between two asa's and when we run the traffic through a static nat rule the traffic passes over the vpn. When we use a dynamic nat the traffic does not get picked up by the vpn ACL.
we are disabling the nat rules to switch back and forth so even when we use the same source destination the result is the same.
Am I missing something with 9.0 code versions? If i disable all nats and pass the traffic it goes over the vpn.
So it seems when using the dynamic nat statement it pushes the traffic to the outside interface without looking at the vpn acl. Please let me know if I am off base I am a newb on post 8.3 code.
ThanksI didn't do that at first because I remember reading something about in ver 9 to only use the unnatted IP because of order of ops. That seemed weird to me at the time.
Yes it seems that you need the nat ip like always. Should have just went with my gut on that.
Thanks -
Getting error 789 when trying to connect with a PC remotely via VPN
When we set up the VPN we are getting a Error 789 when trying to connect with a PC. Any suggestions would be appreciated.
The utilities, provided on the CD, are not required for the PC to access the Internet through the 802.11n AirPort Extreme Base Station (AEBSn). They are only necessary for administering the base station.
If your PC is currently configured as a DHCP client, it shouldn't have any issues connecting by Ethernet. The AEBSn will assign the appropriate IP addresses required for connectivity to the Internet ... just like it does for wireless clients.
Maybe you are looking for
-
My 4th gen iPod Touch does not work with Ford sync since updating OS
When I updated my iPod to the new os, it does not work with my ford sync system anymore. how do I fix this?
-
CSS attributes not supported in some browsers
Hello all. Here's a question some of you will laugh at but it's really cothering me. Try as I may, I'm getting used to the way CSS is handled between DWCS3 (Mac) and GL, and while everything looks fine when I'm in DW, I preview simple, static pages
-
Plantronics Voyager Pro headset NOT compatible with 3GS
I've been having terrible problems with my Plantronics Voyager pro all singing and all dancing bluetooth headset and my 3GS. I've tried 2 units to no avail and have a long case log with Plantronics support. Apparently the inbuilt noise cancelling "in
-
Refresing the Printer Services (in Windows Environment)
Hi, We implemented a service which shows the list of the printers to the end user. But the list of printers does not get refreshed when we add or remove a printer from the windows machine where this application is running. Does PrintServices get refr
-
Safari won't load pages with pictures after installing Maverick
I have an older iMac (2008), but it runs great and I have no problems with it. Except now that i installed Maverick, now Safari doesn't work properly. For most things, it works fine, then It will quit in the middle of a page. Or, I have uploaded p