ASA Microsoft L2TP/IPSEC

Does anyone have doci on how to set this up on the ASA and configuration on Microsoft thx

Hi,
You have an example config of ASA as l2tp over ipsec server and win 2k as client:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml
Not that newer windows version do not support MD5 and you will have to use SHA.
I do suggest to update your ASA to latest release and you can always find l2tp over ipsec config here.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
Marcin

Similar Messages

Looking for help to set up l2tp Ipsec vpn on asa 5055

I am trying to set up a L2tp Ipsec vpn on asa 5055 and I am using windows 8.1 build in VPN client to connect to it. I got the following error. Anyone has experence please help.
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, All IPSec SA proposals found unacceptable!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending notify message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing ipsec notify payload for msg id 1
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=6a50f8f9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, QM FSM error (P2 struct &0xad6946b8, mess id 0x1)!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE QM Responder FSM error history (struct &0xad6946b8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2,
EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2,
EV_COMP_HASH
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Removing peer from correlator table failed, no match!
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, IKE SA MM:d8870fa5 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, sending delete/delete with reason message
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing blank hash payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing IKE delete payload
Apr 17 22:48:21 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 209.171.88.81, constructing qm hash payload
Apr 17 22:48:21 [IKEv1]IP = 209.171.88.81, IKE_DECODE SENDING Message (msgid=232654dc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 17 22:48:21 [IKEv1]Group = DefaultRAGroup, IP = 209.171.88.81, Session is being torn down. Reason: Phase 2 Mismatch
I am new to this so I don't know what I should do next. Thanks

Here it is. Thanks.
CL-T179-12IH# show run crypto
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-3DES-SHA ESP-DES-SHA ESP-AES-128-SHA-TRANS ESP-AES-192-SHA-TRANS ESP-AES-256-SHA-TRANS ESP-3DES-SHA-TRANS ESP-DES-SHA-TRANS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint vpn
enrollment self
subject-name CN=174.142.90.17
crl configure
crypto ca trustpool policy
crypto ca certificate chain vpn
certificate 2d181c55
308201ff 30820168 a0030201 0202042d 181c5530 0d06092a 864886f7 0d010105
05003044 31163014 06035504 03130d31 37342e31 34322e39 302e3137 312a3028
06092a86 4886f70d 01090216 1b434c2d 54313739 2d313249 482e7072 69766174
65646e73 2e636f6d 301e170d 31353034 31363033 31393439 5a170d32 35303431
33303331 3934395a 30443116 30140603 55040313 0d313734 2e313432 2e39302e
3137312a 30280609 2a864886 f70d0109 02161b43 4c2d5431 37392d31 3249482e
70726976 61746564 6e732e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500
03818d00 30818902 818100bf 797d1cc1 cfffc634 8c3b2a4b ce27b1c9 3fc3e026
4f6cd8f4 c9675aca b5176cef 7f3df142 35ba4e15 2613d34c 91bb5da3 14b34b6c
71e4ff44 f129046f 7f91e73f 2c9d42f9 93001559 ea6c71c1 1a848073 15da79f7
a41081ee b4cd3cc3 baa7a272 3a5fb32d 66dedee6 5994d4b2 ad9d7489 44ec9eb9
44038a2a 817e935f 1bb7ad02 03010001 300d0609 2a864886 f70d0101 05050003
8181002c 6cee9ae7 a037698a 5690aca1 f01c87db 04d9cbc6 65bda6dc a17fc4b6
b1fd419e 56df108f b06edfe6 ab5a5eb3 5474a7fe 58970da3 23e6bc6e 36ab8f62
d5c442bf 43581eb3 26b8cf26 6a667a8b ddd25a73 a094f0d0 65092ff8 d2a644d8
3d7da7ca efeb9e2f 84807fdf 0cf3d75e bcb65ba4 7b51cb49 f912f516 f95b5d86
da0e01
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint vpn
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

ASA 5505 L2TP client connect problem

I am trying to connect MS l2tp clients to asa 5505 and am unsuccessful. I have tried the ASDM VPN Wizard as well as CLI and missing something. I have attached my current config. My client hits the interface and logs an error 713048 Error processing payload: Payload ID: 1. I know I am missing something simple, but I just can't see it. HELP!!!! Please

ASA configuration needs to have the following configured ...
- The preshared key needs to match the one configured in the windows client setup.
- The authentication needs to match what you have configured on the client, pap or chap ..
If chap is configured you need to readd the usernames to the ASA with the mschap keyword
at the end .. e.g
SV2-2(config)# username msclient password msclient mschap
- The DefaultRAGroup needs to be configured with the preshared key and point to a policy
that include this vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
The complete config is below ... DefaultRAGroup will be used if the preshared key is
added and nothing is specified on the client..
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2

Cisco ASA 5505 L2TP VPN cannot access internal network

Hi,
I'm trying to configure Cisco L2TP VPN to my office. After successful connection I cannot access to internal network.
Can you jhelp me to find out the issue?
I have Cisco ASA:
inside network - 192.168.1.0
VPN network - 192.168.168.0
I have router 192.168.1.2 and I cannot ping or get access to this router.
Here is my config:
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 198.X.X.A 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network net-all
subnet 0.0.0.0 0.0.0.0
object network vpn_local
subnet 192.168.168.0 255.255.255.0
object network inside_nw
subnet 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool sales_addresses 192.168.168.1-192.168.168.254
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic net-all interface
nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup
object network vpn_local
nat (outside,outside) dynamic interface
object network inside_nw
nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 198.X.X.B 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set my-transform-set-ikev1
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 30
console timeout 0
management-access inside
dhcpd address 192.168.1.5-192.168.1.132 inside
dhcpd dns 75.75.75.75 76.76.76.76 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy sales_policy internal
group-policy sales_policy attributes
dns-server value 75.75.75.75 76.76.76.76
vpn-tunnel-protocol l2tp-ipsec
username ----------
username ----------
tunnel-group DefaultRAGroup general-attributes
address-pool sales_addresses
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:5d1fc9409c87ecdc1e06f06980de6c13
: end
Thanks for your help.

You have to test it with "real" traffic to 192.168.1.2 and if you use ping, you have to add icmp-inspection:
policy-map global_policy
class inspection_default
inspect icmp
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Cisco ASA 5505 L2TP Pass through

I am having trouble with L2TP pass through on an ASA 5505 device.
L2TP server: OSX 10.6
I can connect with any OSX system and it works fine straight away.
When connecting with a windows computer I get a 789 error. "Error 789: The L2TP connection attempt failed because the security layer encountere a processing error during the initial negotiations with the remote computer."
I did not setup or configure the device to start with and apart from this issue its working fine so I am hessitant at trying to just mess around too much to try and find the problem.
I am using the ASDM 6.4 to manage the device.
Ports look to be forwarded correctly; 1701, 4500 & 500 UDP.
Im just looking for other common issues?
Rob

Below is the commands you wanted.
Where you see: IPNOTWHATIWASEXPECTING
This is an IP I dont know. possible and old IP address.
and
default-domain value domain-notcorrect.local
This is an old domain from years ago.
Result of the command: "show run crypto"
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set aes-192-sha esp-aes-192 esp-sha-hmac
crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map map-dynamic 1 set pfs group5
crypto dynamic-map map-dynamic 1 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 2 set pfs
crypto dynamic-map map-dynamic 2 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 3 set pfs
crypto dynamic-map map-dynamic 3 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto dynamic-map map-dynamic 4 set transform-set aes-256-sha aes-192-sha aes-sha 3des-sha
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer IPNOTWHATIWASEXPECTING3
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address acl-amzn
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer IPNOTWHATIWASEXPECTING IPNOTWHATIWASEXPECTING
crypto map outside_map 2 set transform-set transform-amzn
crypto map outside_map 255 ipsec-isakmp dynamic map-dynamic
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto isakmp policy 11
authentication pre-share
encryption aes-192
hash sha
group 5
lifetime 86400
crypto isakmp policy 12
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 13
authentication pre-share
encryption aes-192
hash sha
group 1
lifetime 86400
crypto isakmp policy 21
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 22
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 23
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 31
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 32
authentication rsa-sig
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 33
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 34
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Result of the command: "show run group-policy"
group-policy evertest internal
group-policy evertest attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy petero internal
group-policy petero attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy awsfilter internal
group-policy awsfilter attributes
vpn-filter value amzn-filter
group-policy vpnpptp internal
group-policy vpnpptp attributes
dns-server value 10.100.25.252
vpn-tunnel-protocol l2tp-ipsec
group-policy vanheelm internal
group-policy vanheelm attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy ciscoVPNuser internal
group-policy ciscoVPNuser attributes
dns-server value 10.100.25.10
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy chauhanv2 internal
group-policy chauhanv2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy oterop internal
group-policy oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
group-policy Oterop internal
group-policy Oterop attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
group-policy chauhanv internal
group-policy chauhanv attributes
dns-server value 10.100.25.252
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy bnixon2 internal
group-policy bnixon2 attributes
dns-server value 10.100.25.252
vpn-idle-timeout 720
vpn-tunnel-protocol IPSec l2tp-ipsec
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpnsplittunnel
default-domain value domain-notcorrect.local
Result of the command: "show run tunnel-group"
tunnel-group ciscoVPNuser type remote-access
tunnel-group ciscoVPNuser general-attributes
address-pool vpnippool
default-group-policy ciscoVPNuser
tunnel-group ciscoVPNuser ipsec-attributes
pre-shared-key *****
tunnel-group petero type remote-access
tunnel-group petero general-attributes
address-pool vpnippool
default-group-policy petero
tunnel-group petero ipsec-attributes
pre-shared-key *****
tunnel-group oterop type remote-access
tunnel-group oterop general-attributes
address-pool vpnippool
default-group-policy oterop
tunnel-group oterop ipsec-attributes
pre-shared-key *****
tunnel-group vanheelm type remote-access
tunnel-group vanheelm general-attributes
address-pool vpnippool
default-group-policy vanheelm
tunnel-group vanheelm ipsec-attributes
pre-shared-key *****
tunnel-group chauhanv type remote-access
tunnel-group chauhanv general-attributes
default-group-policy chauhanv
tunnel-group Oterop type remote-access
tunnel-group Oterop general-attributes
default-group-policy Oterop
tunnel-group chauhanv2 type remote-access
tunnel-group chauhanv2 general-attributes
address-pool vpnippool
default-group-policy chauhanv2
tunnel-group chauhanv2 ipsec-attributes
pre-shared-key *****
tunnel-group bnixon2 type remote-access
tunnel-group bnixon2 general-attributes
address-pool vpnippool
default-group-policy bnixon2
tunnel-group bnixon2 ipsec-attributes
pre-shared-key *****
tunnel-group vpnpptp type remote-access
tunnel-group vpnpptp general-attributes
address-pool vpnippool
default-group-policy vpnpptp
tunnel-group IPNOTWHATIWASEXPECTING4 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING4 ipsec-attributes
pre-shared-key *****
tunnel-group evertest type remote-access
tunnel-group evertest general-attributes
address-pool vpnippool
default-group-policy evertest
tunnel-group evertest ipsec-attributes
pre-shared-key *****
tunnel-group evertest ppp-attributes
authentication ms-chap-v2
tunnel-group IPNOTWHATIWASEXPECTING3 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING3 ipsec-attributes
pre-shared-key *****
tunnel-group IPNOTWHATIWASEXPECTING2 type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING2 general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING2 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group IPNOTWHATIWASEXPECTING type ipsec-l2l
tunnel-group IPNOTWHATIWASEXPECTING general-attributes
default-group-policy awsfilter
tunnel-group IPNOTWHATIWASEXPECTING ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 3
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsec"
INFO: There are presently no active sessions of the type specified
Result of the command: "show vpn-sessiondb detail remote filter protocol L2TPOverIPsecOverNAT"
INFO: There are presently no active sessions of the type specified

L2TP/IPSec with PIX using EAP-TLS

Hi,
i have big problems with using my PIX515 (SW 7.2.1) for L2TP/IPSec VPN-Connections using EAP-TLS. With the option EAP-Proxy activated on PIX a RADIUS Access-Request Message reaches the configured RADIUS-SERVER (IAS2003), but the request is rejected by Radius. I did inspection of the packets with a sniffer and see following strange behavior:
- There is a Tunnel-Client-Endpoint AVP with no value and, even stranger, an existing AVP titled User-Password with an encrypted value.
I dont understand where the encrypted Password comes from in the first RADIUS Access-Request message received from the PIX, since the authentication method should be certificate-based (EAP-TLS). And I dont know either if the Tunnel-Client-Endpoint MUST be present in the message. Fact is the RADIUS responds with an Access-Reject Message.
The other AVPs in the request seem to be OK, and there is an existend AVP titled EAP-Message (79) that seems alright...
Other detail: In the event log on the IAS the request is logged as Type "PAP" (and not EAP as it should be!) and the log tells me about a problem with wrong username/password.
Tested the same client and Radius configuration using a RRAS-Server from Microsoft instead of the PIX and it worked fine! Could this be a bug of the Pix EAP-Proxy function?
EAP-Proxy should pass all EAP packets unmodified to the Radius, right? This seems not to be the case. Comparing the RADIUS Access-Request Message received from the Pix (which fails) with the RADIUS Access-Request Message received from the RRAS-Server (which successes) shows significant differences.
Every help appreciated. Please ask me for further infos if needed or if you would like me to post the Packet Capture file (Ethereal format)/Configuration information.
Thank you very much!!
Best regards,
Matthias

The Cisco Secure PIX Firewall Software Release 6.0 supports VPN connections from the Cisco VPN Client 3.5 for Windows.Refer the following URL for more information
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall

Establishing L2TP/IPSEC vpn

I have a new laptop, running Windows 8.1 Pro. I am trying to set up an L2TP/IPSEC vpn to my office.
I have created the connection, and filled in the various settings including PSK, but whenever I try and connect it fails with Error 789. I have checked this against my Windows XP / Vista / 7 laptops (which all work fine), and the VPN setup details are all
identical. It works fine on all the other laptops, but not on Windows 8.1.
Is there something special about Windows 8.1 that would prevent this from working?

Hi,
Please check the solution in this thread:
http://social.technet.microsoft.com/Forums/windows/en-US/630488b8-e638-488d-803a-08ef9281e4fb/windows-7-ipsecl2tp-vpn-connection-problem
Also, please check solution “Error Code: 789, 835” in this article:
Troubleshooting common VPN related errors
http://blogs.technet.com/b/rrasblog/archive/2009/08/12/troubleshooting-common-vpn-related-errors.aspx
Since this issue can also be caused by third-part security program, please disable it and recreate the connection again to check the results.
Please take time to perform the steps above and let me know the results.
Karen Hu
TechNet Community Support

Is it possible to build two different L2TP/IPSec tunnels per subnet or per user?

Dear colleagues
I wondered whether anyone could help with this one.
Is it possible to build two different L2TP/IPSec tunnels per subnet or per user on a Cisco router or any other third party manufacturer? The idea behind is to allow different access to resources to different support technicians. Your help is much appreciated.

Sure, the ASA can use LDAP/AD information to select what access list should be applied for that specific user or group of users logging into the VPN. You can use whats called DAP or just LDAP Attribute Maps.

Is there a limit to the number of concurrent L2TP/IPSec VPN connections in Snow Leopard

Hi,
I'm currently running an L2TP/IPSec service from a Snow Leopard server VM running on the latest version of Lion Server ( Had loads of issues with Lion VPN connectivity from outside our network when I first upgraded the physical server to Lion. quickest way to get the service back was to run an S/L VM. I know that there have been some changes to Lion in the VPN area, but this works... sort of;;;)
I've got an IP address pool of 20 addresses confgured as this is only for ICT staff members. Each user has a local userid/password on the S/L server. For me, things just work.
iPhone, iPad, OS X lion client they all work and I've had about 3 simultaneous connections up and running.However, the majority of staff users use Windows 7 client machines and they're been reporting sporadic connection failures where one moment they can get connected and the next they can't. I'm currently wondring if there is some concurrent limit setting they are hitting and are getting slung off because I've got other users using the service. It would be a bit strange if S/L can only support 2 or 3 connections out of the box.
Then again it might be VMWare Fusion (Vsn 4.1.1) thats the problem.
Any help apppreciated
Rgds
Alex

You have to count to have about 30GB at least free on the startup disk, after you have the library loaded.
On the external you have space enough.
As far as I know there is no limit for iPhoto, but I suggest to not let it grow too much, because everything will become sluggish, also making backups. It should be possible to split up in more libraries, one that is really actual and one that is the past. Physical splitting up I mean, not smart collections. You can switch libraries by holding the Alt(option) at startup of iPhoto.

Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well. Port forward configurations performed on the Actiontec are working well.
I installed an L2TP/IPSec VPN server, tested internally and it connected successfully. So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
With the port forwarding in place, I tested VPN externally but it didn't connect.
I've done the following so far to no avail:
Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
There was an L2TP port triggering rule enabled, that I toggled on and off with no change
Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router. But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this. For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
My router details:
Verizon Actiontec
MI424WR-GEN2
Revision E
Firmware 20.21.0.2
Verizon Actiontec built-in L2TP/IPSec rule templates. They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
Solved!
Go to Solution.

normally a vpn on that router, will have a GRE tunneling protocol as well.
two ways to build the PF rules,
Manually
Preconfigured
I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

Problem with L2TP IPSEC VPN login...

Hello,
I have a problem with my trying to login on my laptop to my work vpn. I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn. I feel like I am hitting a brick wall and makes me just want to forget it all together... I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine. I have also verified and triple checked all my vpn information required. I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2.. Any help I would be greatly appreciated. Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work. Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
pacman -Q openswan
openswan 2.6.41-1
pacman -Q xl2tpd
xl2tpd 1.3.6-1
uname -a
Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
ipsec auto --up <vpn connection name>
022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
my process to run the vpn connection:
sudo systemctl start openswan
sudo systemctl start xl2tpd
ipsec auto --up <vpn connection name>
echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
how I added my vpn connection:
sudo ipsec auto --add <vpn connection name>
/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = <my ip address>
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac <vpn connection name>]
lns = <vpn ip address>
pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
length bit = no
redial = no
/etc/ppp/<vpn connection name>.options.xl2tpd
plugin passprompt.so
ipcp-accept-local
ipcp-accept-remote
idle 72000
ktune
noproxyarp
asyncmap 0
noauth
crtscts
lock
hide-password
modem
noipx
ipparam L2tpIPsecVpn-<vpn connection name>
promptprog "/usr/bin/L2tpIPsecVpn"
refuse-eap
remotename ""
name "<vpn username>"
password <vpn password>
usepeerdns
/etc/ipsec.secrets
%any @<vpn ip address>: PSK <psk key here>
Last edited by adramalech (2014-10-25 04:53:46)

Hello,
I have a problem with my trying to login on my laptop to my work vpn. I was given from my work, the vpn's ip address, the psk, my username, and password for the vpn. I feel like I am hitting a brick wall and makes me just want to forget it all together... I can get in with my info on this same laptop on the same connection at my apartment from my windows 8.1 partition just fine. I have also verified and triple checked all my vpn information required. I also don't know but I think have it setup to use PAP, MS CHAP, or MS CHAP v2.. Any help I would be greatly appreciated. Pretty much the way my VPN for my work works is you have to VPN on L2TP over IPSEC with a username and password and a psk to allow you to remote desktop to my desktop at work. Really wish this could work as I am tired of supporting windows at home when I pretty much only use it to VPN into work when I have to get work done...
pacman -Q openswan
openswan 2.6.41-1
pacman -Q xl2tpd
xl2tpd 1.3.6-1
uname -a
Linux tux 3.17.1-1-ARCH #1 SMP PREEMPT Wed Oct 15 15:04:35 CEST 2014 x86_64 GNU/Linux
Now I have all the configs setup below following the L2TP/IPsec VPN client setup arch wiki page and I keep getting this:
ipsec auto --up <vpn connection name>
022 "<vpn connection name>": We cannot identify ourselves with either end of this connection.
my process to run the vpn connection:
sudo systemctl start openswan
sudo systemctl start xl2tpd
ipsec auto --up <vpn connection name>
echo "c <vpn connection name>" > /var/run/xl2tpd/l2tp-control
how I added my vpn connection:
sudo ipsec auto --add <vpn connection name>
/etc/xl2tpd/xl2tpd.conf
[global]
; listen-addr = <my ip address>
debug avp = no
debug network = no
debug packet = no
debug state = no
debug tunnel = no
[lac <vpn connection name>]
lns = <vpn ip address>
pppoptfile = /etc/ppp/<vpn connection name>.options.xl2tpd
length bit = no
redial = no
/etc/ppp/<vpn connection name>.options.xl2tpd
plugin passprompt.so
ipcp-accept-local
ipcp-accept-remote
idle 72000
ktune
noproxyarp
asyncmap 0
noauth
crtscts
lock
hide-password
modem
noipx
ipparam L2tpIPsecVpn-<vpn connection name>
promptprog "/usr/bin/L2tpIPsecVpn"
refuse-eap
remotename ""
name "<vpn username>"
password <vpn password>
usepeerdns
/etc/ipsec.secrets
%any @<vpn ip address>: PSK <psk key here>
Last edited by adramalech (2014-10-25 04:53:46)

[SOLVED] l2tp-ipsec-vpn-daemon from AUR fails to build

Please let me know if there are other details that require posting:-
==> Starting build()...
/usr/bin/qmake -o qttmp-Release.mk -after "OBJECTS_DIR=build/Release" "DESTDIR=dist/Release" nbproject/qt-Release.pro
mv -f qttmp-Release.mk nbproject/qt-Release.mk
make -f nbproject/qt-Release.mk dist/Release/L2tpIPsecVpnControlDaemon
make[1]: Entering directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/main.o src/main.cpp
g++ -c -pipe -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4 -Wall -W -D_REENTRANT -fPIE -DQT_NO_DEBUG -DQT_NETWORK_LIB -DQT_CORE_LIB -I/usr/lib/qt/mkspecs/linux-g++ -Inbproject -isystem /usr/include/qt -isystem /usr/include/qt/QtNetwork -isystem /usr/include/qt/QtCore -Isrc/generated -I. -o build/Release/VpnClientConnection.o src/VpnClientConnection.cpp
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::readyRead()':
src/VpnClientConnection.cpp:133:99: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Executing command %s", m_strActiveCommand.toAscii().constData());
^
src/VpnClientConnection.cpp:140:75: error: 'class QString' has no member named 'toAscii'
if (COMMANDS[iCommand].pPipe->write(strCommand.toAscii().constData()) == strCommand.length())
^
src/VpnClientConnection.cpp:159:63: error: 'class QString' has no member named 'toAscii'
if (::mkfifo(strCommandParts[1].toAscii().constData(), DEFFILEMODE) == 0)
^
src/VpnClientConnection.cpp:161:84: error: 'class QString' has no member named 'toAscii'
const int iChmodResult(::chmod(strCommandParts[1].toAscii().constData(), DEFFILEMODE));
^
src/VpnClientConnection.cpp:168:87: error: 'class QString' has no member named 'toAscii'
const int iChownResult(::chown(strCommandParts[1].toAscii().constData(), pPwdInfo->pw_uid, pPwdInfo->pw_gid));
^
src/VpnClientConnection.cpp:193:77: error: 'const class QString' has no member named 'toAscii'
if (COMMANDS[iCommand].pPipe->write(str.toAscii().constData()) != str.length())
^
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandError(QProcess::ProcessError)':
src/VpnClientConnection.cpp:250:96: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with error code %d", m_strActiveCommand.toAscii().constData(), ERR_COMMAND_FAILED_TO_START + iError);
^
src/VpnClientConnection.cpp: In member function 'void VpnClientConnection::onCommandFinished(int)':
src/VpnClientConnection.cpp:257:95: error: 'class QString' has no member named 'toAscii'
::syslog(LOG_DEBUG|LOG_DAEMON, "Command %s finished with exit code %d", m_strActiveCommand.toAscii().constData(), iExitCode);
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseResult, const QString&)':
src/VpnClientConnection.cpp:268:118: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + QString::number(resultCode) + " " + strCommand + '\n').toAscii().constData());
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, VpnClientConnection::ResponseInformation)':
src/VpnClientConnection.cpp:281:108: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + QString::number(responseInformation) + '\n').toAscii().constData());
^
src/VpnClientConnection.cpp: In member function 'bool VpnClientConnection::send(VpnClientConnection::ResponseType, const QString&)':
src/VpnClientConnection.cpp:294:78: error: 'const class QString' has no member named 'toAscii'
m_pSocket->write((QString::number(responseType) + " " + strOutputline).toAscii().constData());
^
nbproject/qt-Release.mk:319: recipe for target 'build/Release/VpnClientConnection.o' failed
make[1]: *** [build/Release/VpnClientConnection.o] Error 1
make[1]: Leaving directory '/tmp/yaourt-tmp-nimda/aur-l2tp-ipsec-vpn-daemon/src/l2tp-ipsec-vpn-daemon'
Makefile:62: recipe for target 'build' failed
make: *** [build] Error 2
==> ERROR: A failure occurred in build().
Aborting...
==> ERROR: Makepkg was unable to build l2tp-ipsec-vpn-daemon.
Last edited by n1md4 (2014-06-06 09:47:25)

Have you tried 0.9.9-2 from the comments: https://aur.archlinux.org/packages/l2tp … pn-daemon/ ?

[SOLVED]Connecting to L2TP/IPSec VPN problem: pppd seems not starting

I'm trying to connect to an L2TP/IPsec VPN server, by ipsec-tools + xl2tpd.
Here is my setup:
/etc/racoon.conf:
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
padding {
maximum_length 20;
randomize off;
strict_check off;
exclusive_tail off;
remote anonymous {
exchange_mode main;
doi ipsec_doi;
situation identity_only;
generate_policy on;
nat_traversal on;
proposal_check obey;
proposal {
encryption_algorithm aes 256;
lifetime time 3600 sec;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
sainfo anonymous {
lifetime time 3600 sec;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
/etc/racoon/psk.txt:
#broadband
137.189.192.201 the-server-psk
137.189.192.204 the-server-psk
Here the two IPs are the IPs of vpn.cuhk.edu.hk, which is the VPN server.
/etc/xl2tpd/xl2tpd.conf:
[global]
port = 1701
auth file = /etc/ppp/pap-secrets
debug network = yes
debug avp = yes
debug packet = yes
debug state = yes
debug tunnel = yes
[lac connect]
lns = vpn.cuhk.edu.hk
name = vpn-server
redial = yes
redial timeout = 15
max redials = 5
hidden bit = yes
refuse chap = yes
require pap = yes
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
/etc/ppp/pap-secrets:
# Secrets for authentication using PAP
# client server secret IP addresses
myusername * mypassword *
/etc/ppp/options.xl2tpd:
lock
debug
mtu 1000
nobsdcomp
nodeflate
noaccomp
nopcomp
novj
defaultroute
refuse-chap
refuse-mschap
refuse-mschap-v2
connect-delay 5000
name myusername
password mypassword
spd.sh:
#!/bin/sh
Then I do the following:
# 192.168.1.1 is my lan gateway
sudo ip route add 137.189.192.201 via 192.168.1.1
sudo ip route add 137.189.192.204 via 192.168.1.1
# For adding spd, script from the VPN server
echo -e flush\; | sudo setkey -c
echo -e spdflush\; | sudo setkey -c
echo -e spdadd 192.168.1.173/32\[1701\] 0.0.0.0\/0\[0\] any \-P out ipsec esp\/transport\/\/require\; | sudo setkey -c
sudo systemctl start racoon
sudo systemctl start xl2tpd
echo "c connect" | sudo tee /var/run/xl2tpd/l2tp-control
I expect that some network interface like ppp0 will be created, but nothing happened.
Then I check the record, and find something weird in xl2tpd log (from journalctl, racoon and sudo logs skipped):
8月 21 01:13:40 nkdesktop systemd[1]: Stopped Level 2 Tunnel Protocol Daemon (L2TP).
8月 21 01:13:41 nkdesktop systemd[1]: Starting Racoon IKEv1 key management daemon for IPSEC...
8月 21 01:13:41 nkdesktop systemd[1]: Started Racoon IKEv1 key management daemon for IPSEC.
8月 21 01:13:43 nkdesktop systemd[1]: Starting Level 2 Tunnel Protocol Daemon (L2TP)...
8月 21 01:13:43 nkdesktop systemd[1]: Started Level 2 Tunnel Protocol Daemon (L2TP).
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: setsockopt recvref[30]: Protocol not available
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Using l2tp kernel support.
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: xl2tpd version xl2tpd-1.3.6 started on nkdesktop PID:19639
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Forked by Scott Balmos and David Stipp, (C) 2001
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Inherited by Jeff McAdams, (C) 2002
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Forked again by Xelerance (www.xelerance.com) (C) 2006
8月 21 01:13:43 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Listening on IP address 0.0.0.0, port 1701
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: get_call: allocating new tunnel for host 137.189.192.204, port 1701.
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Connecting to host vpn.cuhk.edu.hk, port 1701
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is (null)(0). Tunnel is 0, call is 0.
8月 21 01:13:45 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending SCCRQ
8月 21 01:13:46 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select timeout
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select timeout
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 103, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 2 (Start-Control-Connection-Reply)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: protocol_version_avp: peer is using version 1, revision 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: framing_caps_avp: supported peer frames: async sync
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: bearer_caps_avp: supported peer bearers:
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: firmware_rev_avp: peer reports firmware version 1648 (0x0670)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: hostname_avp: peer reports hostname 'eriwan'
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: vendor_avp: peer reports vendor 'Adtran, l2tpd'
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_tunnel_avp: using peer's tunnel 4733
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: receive_window_size_avp: peer wants RWS of 4. Will use flow control.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Start-Control-Connection-Reply(2). Tunnel is 4733, call is 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending SCCCN
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Connection established to 137.189.192.204, 1701. Local: 30858, Remote: 4733 (ref=0/0).
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Calling on tunnel 30858
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is (null)(0). Tunnel is 4733, call is 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: sending ICRQ
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 28, tunnel = 30858, call = 63662 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 63662
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 11 (Incoming-Call-Reply)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_call_avp: using peer's call 31346
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Incoming-Call-Reply(11). Tunnel is 4733, call is 31346.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Sending ICCN
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Call established with 137.189.192.204, Local: 63662, Remote: 31346, Serial: 1 (ref=0/0)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: start_pppd: I'm running:
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "/usr/sbin/pppd"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "passive"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "nodetach"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: ":"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "refuse-chap"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "name"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "vpn-server"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "debug"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "file"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "/etc/ppp/options.xl2tpd"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "plugin"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "pppol2tp.so"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "pppol2tp"
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: "7"
8月 21 01:13:47 nkdesktop pppd[19647]: Plugin pppol2tp.so loaded.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 12, tunnel = 30858, call = 63662 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 38, tunnel = 30858, call = 63662 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 63662
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 14 (Call-Disconnect-Notify)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_call_avp: using peer's call 31346
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Call-Disconnect-Notify(14). Tunnel is 4733, call is 31346.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Connection closed to 137.189.192.204, serial 1 ()
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: Terminating pppd: sending TERM signal to pid 19647
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: recv packet from 137.189.192.204, size = 38, tunnel = 30858, call = 0 ref=0 refhim=0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: handle_avps: handling avp's for tunnel 30858, call 0
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: message_type_avp: message type 4 (Stop-Control-Connection-Notification)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: assigned_tunnel_avp: using peer's tunnel 4733
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: result_code_avp: peer closing for reason 1 (General request to clear control connection), error = 0 ()
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: message type is Stop-Control-Connection-Notification(4). Tunnel is 4733, call is 0.
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: control_finish: Connection closed to 137.189.192.204, port 1701 (), Local: 30858, Remote: 4733
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: build_fdset: closing down tunnel 30858
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select returned error 9 (Bad file descriptor)
8月 21 01:13:47 nkdesktop xl2tpd[19639]: xl2tpd[19639]: network_thread: select returned error 4 (Interrupted system call)
... then xl2tpd repeatedly trying to build a connection and fails for every 15s ...
I think pppd should have showed more logs, rather than just loading a module.
But I have no idea about what's wrong.
Or did I just forget to turn on the log function of pppd? If so, how should I turn it on?
Anyone can help?
Last edited by nnkken (2014-08-24 08:42:03)

Additional information:
Today I decrypted the IPSec ESP packets by Wireshark (what an awesome function) and compared the L2TP message of my ArchLinux and MacOSX to the same VPN Server.
And I found that while both ArchLinux and MacOSX sends Incomming_Call_Connection (ICCN) packet, the packet are quite different:
The ArchLinux ICCN Packet has 2 additional AVP fields: Random Vector AVP and RX Connect Speed AVP.
Also, the Connect Speed AVP (and also the RX Connect Speed AVP) field is 0, which is different from MacOSX (100000).
After the ICCN packet, MacOCX sends a PPP packet over L2TP, while ArchLinux sends nothing and the server sends a Call_Disconnect_Notification to ArchLinux.
Anyone knows whether this is a bug or something wrong in config?
Last edited by nnkken (2014-08-22 20:19:49)

Windows Mobile 5.0 L2TP/IPSec native VPN to 3030

Has anyone successfully setup a VPN using the built in VPN client in Windows Mobile 5.0 to a Cisco 3030? I am running into problems but have no idea why. I followed chapter 13 of "The Complete Cisco VPN Configuration Guide" from Cisco Press, to configure the L2TP/IPSec for Windows Client software, but still no luck. I would much rather use the native software from Windows Mobile rather than purchase a 3rd party app. Any help or reference's are greatly appreciated. Thanks in advance!

Windows Mobile user 5.0 doesnt work with cisoc 3030. Mobile client requests a domain name on the credentials, which seems to be as "not valid" on the concentrator.

RVS4000 L2TP IPSec

Currently trying to establish L2TP IPSec VPN tunnels between Windows XP remote client and Windows 2003 RRAS Server.
Both the XP remote client and the W2003 RRAS Server are behind RVS4000 routers.
Have established that the W2003 RRAS server will accept L2TP IPSec connections from clients behind the Cisco RVS4000 router [LAN clients].
Can not establish remote L2TP IPSec connections through the RVS4000 routers. Have established that PPTP VPN through the RVS4000 routers. Both routers are running version 1.3.0.5
Both RVS 4000 routers are configured for PPTP, IPSec, & L2TP VPN passthrough with UDP port 1701 being forwarded to the RRAS server by the
RVS 4000 router. PPTP VPN connections have no problem.
Error code is 792
The problem appears to be with IPSec passthrough. UDP port 1701 is being forwarded to the RRAS server. Can not create port rules for IKE 500 or IP Protocol 50/4500 on the RVS4000 because those policies conflict with forwarding UDP1701.
Any guidance on why the IPSec fails through the RVS4000 for remote access clients but IPSec is successful in establishing a connection to the RRAS server using LAN clients.

I repeat one more time: Never ever forward port UDP 1701. You don't want to expose the L2TP server to the internet. If the server is configured correctly on your VPN server then it won't accept direct access to UDP port 1701 anyway. But still you don't want to do it.
L2TP or better L2TP over IPSec tunnels L2TP traffic on UDP 1701 inside an IPSec tunnel between the client and the server. If you run your VPN server inside your LAN behind a NAT router all you ever want to forward for that purpose is IPSec, i.e. ports UDP 500 and TCP/UDP 4500. Nothing else. For L2TP over IPSec all the router will ever see is IPSec traffic. The L2TP traffic is encrypted inside the IPSec tunnel. The router does not know about this.
If you forward UDP 1701 to your L2TP server you expose the L2TP server directly to the internet, removing the pre-shared key or certificate authentication and encryption of IPSec. All L2TP is completely unencrypted, then if someone has an L2TP (with no IPSec) client to connect.
The standard Windows L2TP/IPSec won't connect directly to L2TP without IPSec.
Even if the RVL allows you to forward UDP 1701 don't do it. If your VPN connection to your VPN server only works with this forwarding in place then you have a big problem with your whole VPN configuration because as I have mentioned before the router should never see any VPN traffic on UDP 1701 as it is supposed to be fully encrypted and hidden inside the IPSec tunnel...

ASA Microsoft L2TP/IPSEC

Similar Messages

Maybe you are looking for