L2TP VPN Error: "MPPE required but peer negotiation failed"

Similar Messages

• MPPE required but not available

  Hi,
  Seems like this issue is recurring on the discussion board.
  I am running pptp-vpn on an osx server 10.5.7, which is also an OD master.
  EDIT: Should add that I was using my OD accounts to VPN, not local accounts.
  Until yesterday, the pptp-vpn worked. But today I get this error (I did some changes to the DNS server yesterday, and shutdown the OD replica, probably what caused it):
  "MPPE required but not available."
  Logs here:
  #Start-Date: 2009-07-31 09:28:31 CEST
  #Fields: date time s-comment
  2009-07-31 09:28:31 CEST Loading plugin /System/Library/Extensions/PPTP.ppp
  2009-07-31 09:28:31 CEST Listening for connections...
  2009-07-31 09:28:54 CEST Incoming call... Address given to client = 10.3.10.1
  Fri Jul 31 09:28:55 2009 : Directory Services Authentication plugin initialized
  Fri Jul 31 09:28:55 2009 : Directory Services Authorization plugin initialized
  Fri Jul 31 09:28:55 2009 : PPTP incoming call in progress from 'HEREWASMYCLIENTIP'...
  Fri Jul 31 09:28:55 2009 : PPTP connection established.
  Fri Jul 31 09:28:55 2009 : using link 0
  Fri Jul 31 09:28:55 2009 : Using interface ppp0
  Fri Jul 31 09:28:55 2009 : Connect: ppp0 <--> socket[34:17]
  Fri Jul 31 09:28:55 2009 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xfebd0071> <pcomp> <accomp>]
  Fri Jul 31 09:28:55 2009 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xc1569522> <pcomp> <accomp>]
  Fri Jul 31 09:28:55 2009 : lcp_reqci: returning CONFACK.
  Fri Jul 31 09:28:55 2009 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0xc1569522> <pcomp> <accomp>]
  Fri Jul 31 09:28:55 2009 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xfebd0071> <pcomp> <accomp>]
  Fri Jul 31 09:28:55 2009 : sent [LCP EchoReq id=0x0 magic=0xfebd0071]
  Fri Jul 31 09:28:55 2009 : sent [CHAP Challenge id=0x87 <90748838ee766580e2607fe03aabb64d>, name = "MYSERVERHOSTNAMEHERE"]
  Fri Jul 31 09:28:55 2009 : rcvd [LCP EchoReq id=0x0 magic=0xc1569522]
  Fri Jul 31 09:28:55 2009 : sent [LCP EchoRep id=0x0 magic=0xfebd0071]
  Fri Jul 31 09:28:55 2009 : rcvd [LCP EchoRep id=0x0 magic=0xc1569522]
  Fri Jul 31 09:28:55 2009 : rcvd [CHAP Response id=0x87 <ed961c48a2d2bf4a740d5bc5c8fe52120000000000000000fad480211366fb8d7360a82a1cfe50 c9e994fe5f85c9166900>, name = "larsrohdin"]
  Fri Jul 31 09:28:55 2009 : sent [CHAP Success id=0x87 "S=EB025BB4770A6FF010F57860F8B00FDE74FDDC00 M=Access granted"]
  Fri Jul 31 09:28:55 2009 : CHAP peer authentication succeeded for larsrohdin
  Fri Jul 31 09:28:55 2009 : DSAccessControl plugin: User 'larsrohdin' authorized for access
  Fri Jul 31 09:28:55 2009 : MPPE required, but keys are not available. Possible plugin problem?
  Fri Jul 31 09:28:55 2009 : sent [LCP TermReq id=0x2 "MPPE required but not available"]
  Fri Jul 31 09:28:55 2009 : rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
  Fri Jul 31 09:28:55 2009 : rcvd [LCP TermAck id=0x2]
  Fri Jul 31 09:28:55 2009 : Connection terminated.
  Fri Jul 31 09:28:55 2009 : Connect time 0.0 minutes.
  Fri Jul 31 09:28:55 2009 : Sent 0 bytes, received 0 bytes.
  Fri Jul 31 09:28:55 2009 : PPTP disconnecting...
  Fri Jul 31 09:28:55 2009 : PPTP disconnected
  2009-07-31 09:28:55 CEST --> Client with address = 10.3.10.1 has hungup
  I have tried everything in this thread:
  http://discussions.apple.com/thread.jspa?threadID=1286988&tstart=0
  and this one:
  http://discussions.apple.com/thread.jspa?messageID=6560466
  But no luck.
  Any ideas? Anyone? Really do not want to reinstall my server again.
  Or as another solution, is there any third party pptp-servers out there for osx server, as this one is really unreliable.
  Best Regards,
  Lars Rohdin
  Message was edited by: larsrohdin

  Tyghe got it right, HOWEVER, if your OD is munged for any reason OR there are more than one user, you many need to be more 'invasive' about cleaning up and then fixing this issue
  If you run the command `vpnaddkeyagentuser /LDAPv3/<od servername>` and it just keeps prompting me like it isn't authenticating, you OD is probably either unstable or non functional. Probably needs an archive and demote-promote.
  If you run the command and it runs without prompting me for any username or password and adds an entry into the system keychain but does not create a user on the OD server, it is probably similar to issue as above.
  The way I would deal with this is to clear the keychain of EVERY entry, then open WGM, delete all the VPN MPPE users, and try the command again. There will only be one user that contain the 'secret' password for MPPE use, attached to VPN and the password is placed in to the keychain, all others are now dead.
  Peter

• PPTP "MPPE required, but keys are not available"

  Dear all
  Since last reboot of my server I got following errormessage in VPN Logfile when user tries to connect to the server trough PPTP:
  MPPE required, but keys are not available. Possible plugin problem?
  Anyone have an idea, what could be wrong ?
  May as another information: After restart of the server I had problem, that VPN Server was not started, because the L2TP definitions where not correct... Logfile told me. So I have redefined the PPTP and L2TP setting, but disabled the L2TP login, because I have definied this "only" for test purposes. All definitions where made with Server Administrator.
  Before restart of Server Login trough PPTP was working quite well...
  I forgott to say, that the Server (Leopard 10.5.1) is an OD Master, which is working quite well (until now). The authentication type for PPTP is set to MS-CHAP (Kerberos is grayed out, I don't know why)
  Cheers Daniel
  Message was edited by: Daniel Lang

  Here I have now some logfiles from vpnd... may this helps to see the problem I have overseen:
  Wed Dec 12 02:21:21 2007 : Directory Services Authentication plugin initialized
  Wed Dec 12 02:21:21 2007 : Directory Services Authorization plugin initialized
  Wed Dec 12 02:21:21 2007 : PPTP incoming call in progress from 'xxx.xxx.xxx.xxx'...
  Wed Dec 12 02:21:21 2007 : PPTP connection established.
  Wed Dec 12 02:21:21 2007 : using link 0
  Wed Dec 12 02:21:21 2007 : Using interface ppp0
  Wed Dec 12 02:21:21 2007 : Connect: ppp0 <--> socket[34:17]
  Wed Dec 12 02:21:21 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
  Wed Dec 12 02:21:21 2007 : rcvd [LCP ConfReq id=0x0 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp> <callback CBCP>]
  Wed Dec 12 02:21:21 2007 : lcp_reqci: rcvd unknown option 13
  Wed Dec 12 02:21:21 2007 : lcp_reqci: returning CONFREJ.
  Wed Dec 12 02:21:21 2007 : sent [LCP ConfRej id=0x0 <callback CBCP>]
  Wed Dec 12 02:21:21 2007 : rcvd [LCP ConfReq id=0x1 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp>]
  Wed Dec 12 02:21:21 2007 : lcp_reqci: returning CONFACK.
  Wed Dec 12 02:21:21 2007 : sent [LCP ConfAck id=0x1 <mru 1400> <magic 0xfb9005f> <pcomp> <accomp>]
  Wed Dec 12 02:21:24 2007 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
  Wed Dec 12 02:21:24 2007 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0x5045e9f1> <pcomp> <accomp>]
  Wed Dec 12 02:21:24 2007 : sent [LCP EchoReq id=0x0 magic=0x5045e9f1]
  Wed Dec 12 02:21:24 2007 : sent [CHAP Challenge id=0x82 <ea8c6372a227309685ab6c0a36d64aec>, name = "server.anywhere.com"]
  Wed Dec 12 02:21:24 2007 : rcvd [LCP code=0xc id=0x2 0f b9 00 5f 4d 53 52 41 53 56 35 2e 31 30]
  Wed Dec 12 02:21:24 2007 : sent [LCP CodeRej id=0x2 0c 02 00 12 0f b9 00 5f 4d 53 52 41 53 56 35 2e 31 30]
  Wed Dec 12 02:21:24 2007 : rcvd [LCP code=0xc id=0x3 0f b9 00 5f 4d 53 52 41 53 2d 30 2d 50 43 31 36 37]
  Wed Dec 12 02:21:24 2007 : sent [LCP CodeRej id=0x3 0c 03 00 15 0f b9 00 5f 4d 53 52 41 53 2d 30 2d 50 43 31 36 37]
  Wed Dec 12 02:21:24 2007 : rcvd [LCP EchoRep id=0x0 magic=0xfb9005f]
  Wed Dec 12 02:21:24 2007 : rcvd [CHAP Response id=0x82 <41....0>, name = "testuser"]
  Wed Dec 12 02:21:24 2007 : DSAuth plugin: Could not retrieve key agent account information.
  Wed Dec 12 02:21:24 2007 : sent [CHAP Success id=0x82 "S=4020C83B....A M=Access granted"]
  Wed Dec 12 02:21:24 2007 : CHAP peer authentication succeeded for testuser
  Wed Dec 12 02:21:24 2007 : DSAccessControl plugin: User 'testuser' authorized for access
  Wed Dec 12 02:21:24 2007 : MPPE required, but keys are not available. Possible plugin problem?
  Wed Dec 12 02:21:24 2007 : sent [LCP TermReq id=0x4 "MPPE required but not available"]
  Wed Dec 12 02:21:24 2007 : rcvd [CCP ConfReq id=0x4 <mppe +H +M +S +L -D +C>]
  Wed Dec 12 02:21:24 2007 : rcvd [IPCP ConfReq id=0x5 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-wins1 0.0.0.0> <ms-dns3 0.0.0.0> <ms-wins3 0.0.0.0>]
  Wed Dec 12 02:21:24 2007 : rcvd [LCP TermAck id=0x4 "MPPE required but not available"]
  Wed Dec 12 02:21:24 2007 : Connection terminated.
  Wed Dec 12 02:21:24 2007 : Connect time 0.1 minutes.
  Wed Dec 12 02:21:24 2007 : Sent 0 bytes, received 0 bytes.
  Wed Dec 12 02:21:25 2007 : PPTP disconnecting...
  Wed Dec 12 02:21:25 2007 : PPTP disconnected
  2007-12-12 02:21:25 CET --> Client with address = 192.168.yyy.yyy has hungup

• MPPE required, but keys are not available.

  I am trying connect my home computer to my office(MAcOS x Server)
  error on MacOS X Server Log
  Tue Sep 26 20:16:59 2006 : sent [CHAP Success id=0x1e "S=A1ED1D0E3ABF7A4187D8F43458C7C0C5F487B9AE M=Access granted"]
  Tue Sep 26 20:16:59 2006 : DSAccessControl plugin: User 'ppina' authorized for access
  Tue Sep 26 20:16:59 2006 : MPPE required, but keys are not available. Possible plugin problem?
  Tue Sep 26 20:16:59 2006 : sent [LCP TermReq id=0x2 "MPPE required but not available"]
  Tue Sep 26 20:16:59 2006 : rcvd [CCP ConfReq id=0x1 <mppe +H -M +S +L -D -C>]
  Tue Sep 26 20:17:00 2006 : rcvd [LCP TermAck id=0x2]
  Tue Sep 26 20:17:00 2006 : Connection terminated.
  Tue Sep 26 20:17:00 2006 : Connect time 0.0 minutes.
  Tue Sep 26 20:17:00 2006 : Sent 0 bytes, received 0 bytes.
  Tue Sep 26 20:17:00 2006 : PPTP disconnecting...
  Tue Sep 26 20:17:00 2006 : PPTP disconnected
  2006-09-26 20:17:00 WEST --> Client with address = 172.16.12.119 has hungup

  run this
  code:
  sudo vpnaddkeyagentuser
  authenticate as your admin and then if it does not give an error you should be all set.
  See this http://docs.info.apple.com/article.html?artnum=107915 for more info (it talks about an LDAP server but when I tried to add that 'user' to my LDAP server it did not help, so I added it locally (which is what the above command does) and then viola!)
  Peter
  PowerMac G5 Dual 2.5Ghz   Mac OS X (10.4.6)   Server

• IPSec timeout: "ERROR Hybrid auth negotiated but peer did not succeed Xauth

  I'm using the Cisco IPSec VPN client on the iPad to connect a Linux server running racoon.
  Initially the connection works fine but after a while it stalls completely due to a timeout.
  Linux box logs:
  13:18:00 Linux racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
  13:18:00 Linux racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
  13:18:03 Linux racoon: ERROR: Hybrid auth negotiated but peer did not succeed Xauth exchange
  13:18:03 Linux racoon: ERROR: Attempt to start phase 2 whereas Xauth failed
  iPad logs:
  13:17:55 Pad racoon 719 <Info>: 719 INFO: initiate new phase 2 negotiation: 192.168.1.100[0]<=>x.x.x.x[0]
  13:17:55 Pad racoon 719 <Info>: 719 INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
  13:18:25 Pad racoon 719 <Info>: 719 ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
  Server-side racoon config:
  remote anonymous
  passive on;
  exchange_mode aggressive,main;
  my_identifier fqdn "xxxxxxxxx.xxx";
  generate_policy on;
  nat_traversal on;
  mode_cfg on;
  xauth_login "ipsecvpn";
  script "p1updown" phase1_up;
  script "p1updown" phase1_down;
  #dpd_delay 20;
  #dpd_retry 5;
  #dpd_maxfail 5;
  #dpd_algorithm dpdblackholedetect;
  initial_contact on;
  lifetime time 24 hour;
  proposal_check strict;
  proposal {
  encryption_algorithm aes 256;
  hash_algorithm sha1;
  dh_group 2;
  authentication_method xauthpskserver;
  # authentication_method presharedkey;
  mode_cfg
  # auth_source pam;
  auth_source system;
  auth_throttle 3;
  auth_source system;
  save_passwd on;
  conf_source local;
  accounting system;
  network4 10.8.1.2;
  netmask4 255.255.255.0;
  pool_size 255;
  dns4 10.8.1.1;
  # default_domain "xxxxxxxxx.xxx";
  # split_network include 10.8.0.0/16;
  # split_dns "xxxxxxxxx.xxx";
  pfs_group 2;
  sainfo anonymous
  lifetime time 12 hour;
  # lifetime byte 50 MB;
  encryption_algorithm aes, blowfish;
  authentication_algorithm hmac_sha1 ;
  compression_algorithm deflate ;
  pfs_group 2;
  # EOF
  iPad fw: 3.2.1 (same problem also with 3.2.2)
  Any ideas?

  Re-keying issue? I dunno. The manual mentions Phase 1, and your log points to Phase 2, but maybe it's worth a shot.
  "Re-keying of Phase 1: Not currently supported. Recommend that re-keying times on
  the server be set to approximately one hour."
  Incidentally, how do you get logs off of the iPad?

• I am trying to download a free trial of photoshop for my macbook pro and it says there is an error and that the requirements for the new version is not supported for the mac I have. I have looked at the list of requirements but have no idea how to tell wh

  I am trying to download a free trial of photoshop for my macbook pro and it says there is an error and that the requirements for the new version is not supported for the mac I have. I have looked at the list of requirements but have no idea how to tell what I do and do not have?

  Apple Menu --> About this Mac.
  Mylenium

• Getting Error 789 When Trying to Connect to L2TP VPN

  Can someone take a quick look at this config and let me know why the L2TP vpn is not working?  I have been banging my head with no results.
  Thanks so much if anyone can help me.
  ASA Version 8.2(5)
  hostname companyASA
  domain-name *****.com
  enable password encrypted
  passwd encrypted
  names
  name 192.168.1.0 AppletonData description Appleton Data
  name 172.16.0.0 AppletonVoice description Appleton Voice
  name 172.16.16.0 Watertown description Watertown
  name 10.0.0.0 anyInside description anyInside
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  switchport access vlan 209
  interface Ethernet0/7
  switchport access vlan 209
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.76.3.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 12.XXX.XXX.XXX 255.255.255.0
  interface Vlan209
  nameif IPOffice
  security-level 50
  ip address 10.10.109.1 255.255.255.0
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 8.8.8.8
  domain-name *****.com
  object-group network obj_any
  object-group network Any10Address
  description Data and Phone Networks Combined
  object-group network AppletonData
  description Appleton Data Network
  object-group network AppletonPhone
  description Appleton Phone Network
  object-group network NETWORK_OBJ_10.76.3.0_24
  object-group network Watertown
  description Watertown Network
  object-group network NETWORK_OBJ_10.10.109.0_24
  object-group network Internal-Subnet
  access-list Split-Tunnel-ACL standard permit 10.76.3.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any inactive
  access-list outside_1_cryptomap extended permit ip 10.76.3.0 255.255.255.0 AppletonData 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.76.3.0 255.255.255.0 AppletonData 255.255.255.0
  access-list inside_nat0_outbound extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 10.76.3.0 255.255.255.0 192.168.50.0 255.255.255.192
  access-list IPOffice_nat0_outbound extended permit ip 10.10.109.0 255.255.255.0 AppletonVoice 255.255.255.0
  access-list IPOffice_nat0_outbound extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 10.10.109.0 255.255.255.0 AppletonVoice 255.255.255.0
  access-list outside_3_cryptomap extended permit ip anyInside 255.0.0.0 Watertown 255.255.255.0
  access-list DefaultRAGroup_splitTunnelAcl standard permit 10.76.3.0 255.255.255.0
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu IPOffice 1500
  ip local pool VPN_Pool 192.168.50.10-192.168.50.50 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  nat (IPOffice) 0 access-list IPOffice_nat0_outbound
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 12.133.127.169 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 10.76.3.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set l2tp-transform esp-3des esp-sha-hmac
  crypto ipsec transform-set l2tp-transform mode transport
  crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map dyn-map 10 set transform-set l2tp-transform vpn-transform
  crypto dynamic-map dyn-map 10 set reverse-route
  crypto map outside_map 1 set pfs
  crypto map outside_map 1 set peer 99.6XX.XXX.XXX
  crypto map outside_map 2 set pfs
  crypto map outside_map 2 set peer 99.1XX.XXX.XXX
  crypto map outside_map 3 set pfs
  crypto map outside_map 3 set peer 24.XXX.XXX.XXX
  crypto map L2TP-VPN-MAP 1 match address outside_1_cryptomap
  crypto map L2TP-VPN-MAP 1 set pfs
  crypto map L2TP-VPN-MAP 1 set peer 99.6XX.XXX.XXX
  crypto map L2TP-VPN-MAP 1 set transform-set ESP-3DES-SHA
  crypto map L2TP-VPN-MAP 2 match address outside_2_cryptomap
  crypto map L2TP-VPN-MAP 2 set pfs
  crypto map L2TP-VPN-MAP 2 set peer 99.1XX.XXX.XXX
  crypto map L2TP-VPN-MAP 2 set transform-set ESP-3DES-SHA
  crypto map L2TP-VPN-MAP 3 match address outside_3_cryptomap
  crypto map L2TP-VPN-MAP 3 set pfs
  crypto map L2TP-VPN-MAP 3 set peer 24.XXX.XXX.XXX
  crypto map L2TP-VPN-MAP 3 set transform-set ESP-3DES-SHA
  crypto map vpn-map 10 ipsec-isakmp dynamic dyn-map
  crypto map vpn-map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  dhcpd address 10.76.3.5-10.76.3.254 inside
  dhcpd dns 8.8.8.8 interface inside
  dhcpd domain *****.com interface inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DefaultRAGroup internal
  group-policy DefaultRAGroup attributes
  dns-server value 8.8.8.8
  vpn-tunnel-protocol l2tp-ipsec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
  default-domain value *****.com
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol l2tp-ipsec
  group-policy GroupPolicy_99.6XX.XXX.XXX internal
  group-policy GroupPolicy_99.6XX.XXX.XXX attributes
  vpn-tunnel-protocol IPSec
  group-policy GroupPolicy_24.XXX.XXX.XXX internal
  group-policy GroupPolicy_24.XXX.XXX.XXX attributes
  vpn-tunnel-protocol IPSec
  group-policy GroupPolicy_99.1XX.XXX.XXX internal
  group-policy GroupPolicy_99.1XX.XXX.XXX attributes
  vpn-tunnel-protocol IPSec
  group-policy vpn-policy internal
  group-policy vpn-policy attributes
  vpn-tunnel-protocol IPSec
  username support password encrypted privilege 15
  username lmk1 password nt-encrypted
  username admin password encrypted privilege 15
  username drm1 password nt-encrypted
  username jms1 password nt-encrypted
  username tcb1 password nt-encrypted
  username jmb1 password nt-encrypted
  username enm1 password nt-encrypted
  username jason password nt-encrypted
  username amw1 password nt-encrypted
  username alp1 password nt-encrypted
  username lab1 password nt-encrypted
  tunnel-group DefaultL2LGroup ipsec-attributes
  isakmp keepalive threshold 15 retry 2
  tunnel-group DefaultRAGroup general-attributes
  address-pool VPN_Pool
  tunnel-group DefaultRAGroup ipsec-attributes
  pre-shared-key *****
  isakmp keepalive disable
  tunnel-group DefaultRAGroup ppp-attributes
  authentication pap
  no authentication chap
  authentication ms-chap-v2
  tunnel-group 99.6XX.XXX.XXX type ipsec-l2l
  tunnel-group 99.6XX.XXX.XXX general-attributes
  default-group-policy GroupPolicy_99.6XX.XXX.XXX
  tunnel-group 99.6XX.XXX.XXX ipsec-attributes
  pre-shared-key *****
  tunnel-group 99.1XX.XXX.XXX type ipsec-l2l
  tunnel-group 99.1XX.XXX.XXX general-attributes
  default-group-policy GroupPolicy_99.1XX.XXX.XXX
  tunnel-group 99.1XX.XXX.XXX ipsec-attributes
  pre-shared-key *****
  tunnel-group 24.XXX.XXX.XXX type ipsec-l2l
  tunnel-group 24.XXX.XXX.XXX general-attributes
  default-group-policy GroupPolicy_24.XXX.XXX.XXX
  tunnel-group 24.XXX.XXX.XXX ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
  message-length maximum client auto
  message-length maximum 512
  policy-map global_policy
  class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous

  What is the version of Contribute and also the Mac OS ?
  Can you try clearing the Preferences this would be like launching Contribute freshly?

• Tried loading the latest version of itunes but the download would not complete. Now when I connect my phone to a usb i get an error stating required files are missing, reinstall itunes. I tried that but the reinstall keeps timing out?

  Tried loading the latest version of itunes but the download would not complete. Now when I connect my phone to a usb i get an error stating required files are missing, reinstall itunes. I tried that but the reinstall keeps timing out?

  For general advice see Troubleshooting issues with iTunes for Windows updates.
  The steps in the second box are a guide to removing everything related to iTunes and then rebuilding it which is often a good starting point unless the symptoms indicate a more specific approach. Review the other boxes and the list of support documents further down the page in case one of them applies.
  The further information area has direct links to the current and recent builds in case you have problems downloading, need to revert to an older version or want to try the iTunes for Windows (64-bit - for older video cards) release as a workaround for performance issues or compatibility with QuickTime or third party software.
  Your library should be unaffected by these steps but there are also links to backup and recovery advice should it be needed.
  tt2

• I downloaded mavericks but the install failed. The message stated there was an error with the disk which required repairing.

  Help please!  I downloaded mavericks but the install failed. The message stated there was an error with the disk which required repairing. Using disk utility repair disk is not available ( greyed out) and verify disk stops and says disc requires repairing. So the online support page suggests I erase the disc and reinstall then back up from time machine ( I have a recent backup). But when I try to erase the Macintosh HD I get the message volume erase failed with the error couldn't unmount disk.
  I'd be very grateful for any help anyone can give me.
  I have a macbook pro 17" mid 2009-  running on snow leopard 10.6.8 ...  I lost the snow leopard disk so I don't know what to do from there ... I tried restarting by clicking SHIFT (safe mode) after the chime comes up,  but It doesnt seem to make any difference ... please help !!
  thank you sooo much
  many many thanks for your hep guys !!

  Whenever you install a new version of OS X being installed, the disk is checked just as if you were using Disk Utility checks the disk to see if the disk is damaged. And,, from what you report, your disk is damaged and needs to be replaced. This isn't a fault with Mavericks - your disk may have been failing for years.
  It's a very good thing that you've a recent backup as you're going to need it. I would suggest that you evaluate what functionality that you need in a new disk and go shopping at OWC for a new drive - HGST (or any Hitachi), Seagate SSHDs or Toshiba drives are all good. Be sure that you buy an enclosure for the 'new' drive so that you can format it using Disk Utility before installing it into your machine - you can get one of those from OWC as well.
  Good luck - call back with any questions...
  Clinton

• Cannot connect to RV110w VPN error 619

  Hello,
  I'm having problems logging into my RV110w using either quickvpn or a windows pptp client connection....
  I've been following the guide here but I just can't connect....I can connect via remote management however....
  https://supportforums.cisco.com/document/124251/remote-vpn-tunnel
  So  :
  IPSec, PPTP and L2Tp enabled.
  RV110w firewall enabled
  Block WAN Request enabled
  Remote Management enabled - port 443
  MPEE Encryption Enabled
  Netbios over VPN Enabled
  2 Clients created one for quickvpn and one for pptp.
  Win 7 firewall enabled at remote end with rull to allow inbound ICMP Echo.
  Exported Certificate and copied to the quickvpn install folder.
  Disabled all other network adapters
  QuickVPN tries to connect then shows a message listing possible reasons for a failed connection....
  The quickvpn log shows:
  2015/02/01 12:14:58 [STATUS]OS Version: Windows 7
  2015/02/01 12:14:58 [STATUS]Windows Firewall Domain Profile Settings: ON
  2015/02/01 12:14:58 [STATUS]Windows Firewall Private Profile Settings: ON
  2015/02/01 12:14:58 [STATUS]Windows Firewall Private Profile Settings: ON
  2015/02/01 12:14:58 [STATUS]One network interface detected with IP address 192.168.1.79
  2015/02/01 12:14:58 [STATUS]Connecting...
  2015/02/01 12:14:58 [DEBUG]Input VPN Server Address = 90.2.30.86
  2015/02/01 12:14:58 [STATUS]Connecting to remote gateway with IP address: 90.2.30.86
  2015/02/01 12:14:59 [STATUS]Remote gateway was reached by https ...
  2015/02/01 12:14:59 [WARNING]Remote gateway wasn't reached...
  2015/02/01 12:14:59 [WARNING]Failed to connect.
  2015/02/01 12:15:20 [WARNING]Remote gateway wasn't reached...
  2015/02/01 12:15:20 [WARNING]Failed to connect.
  2015/02/01 12:15:20 [WARNING]Failed to connect!
  The RV110w doesn't seem to log anything...?
  If I try to connect using a windows pptp vpn connection I get an error 619 straight away and the RV110w log shows:
  1
  2015-02-01 12:20:14 AM
  info
  pptpd[22775]: CTRL: Client 123.150.210.162 control connection finished
  2
  2015-02-01 12:20:14 AM
  debug
  pptpd[22775]: CTRL: Reaping child PPP[22780]
  3
  2015-02-01 12:20:14 AM
  err
  pptpd[22775]: CTRL: PTY read or GRE write failed (pty,gre)=(12,13)
  4
  2015-02-01 12:20:14 AM
  err
  pptpd[22775]: GRE: read(fd=12,buffer=451c4c,len=8196) from PTY failed: status = -1 error = Input/output error, usually caused by unexpected termination of pppd, check option syntax and pppd logs
  5
  2015-02-01 12:20:14 AM
  err
  pppd[22780]: but I couldn't find any suitable secret (password) for it to use to do so.
  6
  2015-02-01 12:20:14 AM
  err
  pppd[22780]: The remote system is required to authenticate itself
  7
  2015-02-01 12:20:14 AM
  info
  pptpd[22775]: CTRL: Starting call (launching pppd, opening GRE)
  8
  2015-02-01 12:20:14 AM
  info
  pptpd[22775]: CTRL: Client 123.150.210.162 control connection started
  This is all behind a talktalk fibre router, they say it's transparent and doesn't block anything but they won't support me any further than that. Ports 443 and 1723 do seem to be open when I scan so as far as I can see the talktalk router is transparent.
  Do I need to create any rules on the RV110w firewall to get this working? or forward any ports to the router itself?
  Thanks for any help, Kevin

  I believe the problem is in iOS, as I am experiencing the same issue.
  I have a Yosemite Server running L2TP VPN server and my Mac connects flawless, while neither the iPhone nor the iPad (both 8.2) are able to connect.
  The error is the same "The L2TP-VPN server did not respond" and by looking at the server's log it seems iOS didn't even try to connect.
  I have tried changing the server address in iOS with the corresponding IP, but the results it's the same.
  Maybe a network setting reset?

• OS X Server / VPN /The L2TP-VPN server did not respond...HELP!

  I am very new to OS X Server and my goal is to setup DNS & VPN!  I would like to have this setup to be able to connect into my apple computer from work or friends house.  I am using an Apple Airport Extreme router and im also using the latest version OS X Mountain Lion with OS X Server installed.  I have started an account with dyndns website for user host name (using a [email protected] address). I assume this would be used as an alternate way of being able to connect without starting a personal website.  I also signed up for another site (no-ip) and I now have a different IP address (not sure if that was necessary). I then followed instructions on youtube (instructional videos by todd for OS X Server Mountain Lion) which seemed to be very easy to understand. But after setting up my VPN on the client side (network setting in system preferences), i tried to connect VPN (L2TP) and i receive this error message "The L2TP-VPN server did not respond. Try reconnecting. If the problem continues, verify your settings and contact your Administrator.". When I open Consol in the utilities folder, I am seeing part of the following message below;
  racoon[117]: IKE Packet: transmit success. (Phase1 Retransmit).
  racoon[117]: IKE Packet: receive failed. (malformed or unexpected cookie).
  pppd[490]: IPSec connection failed
  Does anyone know what's happening or what I need to do to fix this?  Or can someone tell me the basic requirements to setting things up correctly?

  Im using Comcast for my ISP and from the wall I have a Motorola Surfboard 6120 cable modem (not sure how to access my setting on the modem). So basically I have my 6120 cable modem connected to the Apple AirportExtreme router and is then wirelessly connected to my macbook pro.  im providing screen shots of my apple router settings, OS X Server settings and firewall (which is turned off) settings.  Any suggestion on how i should set things up or if you can tell me step by step would be greatly appreciated.

• VPN Problems - The L2TP-VPN server did not respond

  Okay, so I read quite a few threads about this and can't really figure it out. Would be great if I can get some handholding.
  I'm a complete newbie, trying to set up Server for home use. The VPN service seems to be running fine, but I just can't connect from the clients, it just keeps saying "The L2TP-VPN server did not respond". Here is a glimpse at my settings:
  - I have opened up all the relevant ports for UDP (500,1701,4500) and TCP (1723). But this is only required for the Server, right?
  - I don't have a domain name yet so just using my external IP. This is what I put in under VPN Host name in the Server and Client settings.
  - I login with username and password credentials for one of my network users as created in the Server. Format is [email protected] and the password is the same as the login password.
  ** I seem to get a 'authentication failed' error if I just use my local IP address... Not sure whats happening their, but before that I need to be able to connect to Server with the external IP!
  Am I missing something? Why won't my client connect and that too when I'm at home?

  To run a public VPN server behind an NAT gateway, you need to do the following:
  1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
  2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
  3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
  If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
  Allow incoming IPSec authentication
  if it's not already checked, and save the change.
  With a third-party router, there may be a similar setting.
  4. Configure any firewall in use to pass this traffic.
  5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
  6. "Back to My Mac" on the server is incompatible with the VPN service.
  If the server is directly connected to the Internet, see this blog post.

• Server L2TP  VPN will not connect after OS X restart

  I have configured a L2TP VPN service in Server v4.1 running in Yosemite v10.10.3 on an OWC 480 GB SSD in a MB Mini late 2012. After any OS X restart the VPN service starts up normally but the client on my iOS8 phone, or clients on my three other devices, iMac, MB Air or MB Pro (all running the latest Yosemite) cannot connect to it.  They report service unavailable.  However, if I turn the service off and then on again in the Server app, everything works as planned and continues to work until the next restart. All the other Server services configured (Website, Caching and Time Machine) work without having perform the off then back on switch after Server app starts up. 
  This is generally not a problem but if I am abroad and the Mini reboots itself following a power cut, I lose my VPN service until I can either get someone to do the off then on switch or attempt it myself with Team Viewer VNC. Has anyone any idea how I can force the VPN service to work straight after the Server app starts?
  Thanks

  1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
  The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.
  Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
  2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
  There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
  3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
  You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
  In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
  You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.
  Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
  4. Here's a general summary of what you need to do, if you choose to proceed:
  ☞ Copy a particular line of text to the Clipboard.
  ☞ Paste into the window of another application.
  ☞ Wait for the test to run. It usually takes a few minutes.
  ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
  These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.
  5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is sometimes, but not always, slow, run the test during a slowdown.
  You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
  6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
  7. Load this linked web page (on the website "Pastebin.") The title of the page is "Diagnostic Test." Below the title is a text box headed by three small icons. The one on the right represents a clipboard. Click that icon to select the text, then copy it to the Clipboard on your computer by pressing the key combination command-C.
  If the text doesn't highlight when you click the icon, select it by triple-clicking anywhere inside the box. Don't select the whole page, just the text in the box.
  8. Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad and start typing the name.
  Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.
  9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
  exec bash
  and press return. Then paste the script again.
  10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.
  If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
  11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:
  [Process started]
          Part 1 of 8 done at … sec
          Part 8 of 8 done at … sec
          The test results are on the Clipboard.
          Please close this window.
  [Process completed]
  The intervals between parts won't be exactly equal, but they give a rough indication of progress. The total number of parts may be different from what's shown here.
  Wait for the final message "Process completed" to appear. If you don't see it within about ten minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it and go to the next step. You'll have incomplete results, but still something.
  12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
  At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
  If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
  13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
  14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.
  Copyright © 2014, 2015 by Linc Davis. As the sole author of this work (including the referenced "Diagnostic Test"), I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

• Cisco 5505 VPN assistance - Resending P1 and Peer to Peer List No match

  Hello and thanks in advance to anyone that can help me with the IPSec connection.  the VPN were working when i first created them but now they wont connect.  Here is the error on the primary (local) firewall: (yes i know the time isnt set yet on the firewall)
  4|May 17 2007|13:51:55|713903|||||IP = X.X.X.X, Error: Unable to remove PeerTblEntry
  3|May 17 2007|13:51:55|713902|||||IP = X.X.X.X, Removing peer from peer table failed, no match!
  6|May 17 2007|13:51:55|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
  5|May 17 2007|13:51:55|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected.  Retransmitting last packet.
  6|May 17 2007|13:51:47|713905|||||IP = X.X.X.X, P1 Retransmit msg dispatched to MM FSM
  5|May 17 2007|13:51:47|713201|||||IP = X.X.X.X, Duplicate Phase 1 packet detected.  Retransmitting last packet.
  The local firewall has one VPN configured and the remote has 2 (1 working and the other not): Local Firewall is Base licensing with 3DES.  As far as I can tell they have the same VPN parameters but maybe the remote has pfs1 turned on?  Ive played with various settings and cant seem to get it to work.  The cryptomap has the same firewall rules in it (obviously reversed on remote). Any help much appreciated!  I Have a third site doing exactly the same thing (once again also works on another site to site but not this one).  It's weird because I used the IPSec wizard and got it to work and rebooted the ASA and tunnel came up yet again but now my debug log is just full of this info and tunnels never come up.....the only time it was up was for a few hours then wont come up anymore...odd..
  Local Fire Wall:
  hostname ciscoasa
  names
  name 172.25.42.0 MASALan
  name 172.25.7.0 FHR
  name 172.25.43.0 MR
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.25.6.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 10.10.10.30 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  boot system disk0:/asa821-k8.bin
  ftp mode passive
  dns server-group DefaultDNS
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network inside-network
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object icmp
  protocol-object igmp
  protocol-object gre
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object icmp
  protocol-object igmp
  protocol-object gre
  object-group network DM_INLINE_NETWORK_4
  network-object MASALan 255.255.255.0
  network-object MR 255.255.255.0
  object-group network DM_INLINE_NETWORK_6
  network-object 172.25.6.0 255.255.255.0
  network-object FHR 255.255.255.0
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object icmp
  protocol-object igmp
  protocol-object gre
  object-group network DM_INLINE_NETWORK_3
  network-object 172.25.6.0 255.255.255.0
  network-object FHR 255.255.255.0
  object-group network DM_INLINE_NETWORK_5
  network-object MASALan 255.255.255.0
  network-object MR 255.255.255.0
  access-list outside_2_cryptomap extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
  access-list NONAT extended permit ip any 172.25.4.0 255.255.255.0
  access-list NONAT extended permit ip 172.25.6.0 255.255.255.0 MASALan 255.255.255.0
  access-list NONAT extended permit ip FHR 255.255.255.0 MR 255.255.255.0
  access-list NONAT extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_5
  access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_3 object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool RemotePool 172.25.4.1-172.25.4.2 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-621.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONAT
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
  route inside 172.25.1.0 255.255.255.0 172.25.6.2 1
  route inside 172.25.2.0 255.255.255.0 172.25.6.2 1
  route inside 172.25.8.0 255.255.255.0 172.25.6.4 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  http server enable
  http 172.25.0.0 255.255.0.0 outside
  http 172.25.0.0 255.255.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 2 match address outside_2_cryptomap
  crypto map outside_map 2 set peer 216.183.157.158
  crypto map outside_map 2 set transform-set ESP-AES-128-SHA
  crypto map outside_map 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh 172.25.0.0 255.255.0.0 inside
  ssh 172.25.6.0 255.255.255.0 inside
  ssh 172.25.0.0 255.255.0.0 outside
  ssh timeout 60
  console timeout 0
  management-access inside
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy DfltGrpPolicy attributes
  vpn-tunnel-protocol IPSec
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-filter none
  vpn-tunnel-protocol IPSec
  tunnel-group osfdremote ipsec-attributes
  pre-shared-key *
  tunnel-group X.X.X.X type ipsec-l2l
  tunnel-group X.X.X.X general-attributes
  default-group-policy GroupPolicy1
  tunnel-group X.X.X.X ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  REMOTE FIREWALL
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group CHN
  ip address pppoe setroute
  ftp mode passive
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network DM_INLINE_NETWORK_1
  network-object 172.25.42.0 255.255.255.0
  network-object RFN 255.255.255.0
  object-group network DM_INLINE_NETWORK_2
  network-object RHQASAnet 255.255.255.0
  network-object RHQNet 255.255.255.0
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object ip
  protocol-object gre
  protocol-object tcp
  object-group network DM_INLINE_NETWORK_3
  network-object 172.25.42.0 255.255.255.0
  network-object RFN 255.255.255.0
  object-group network DM_INLINE_NETWORK_4
  network-object FHData 255.255.255.0
  network-object FHR 255.255.255.0
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object ip
  protocol-object gre
  protocol-object tcp
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any any eq www
  access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 RHQASAnet 255.255.255.0
  access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 RHQNet 255.255.255.0
  access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 RHQASAnet 255.255.255.0
  access-list inside_nat0_outbound extended permit ip any 192.168.5.0 255.255.255.240
  access-list inside_nat0_outbound extended permit ip 172.25.42.0 255.255.255.0 FHData 255.255.255.0
  access-list inside_nat0_outbound extended permit ip RFN 255.255.255.0 FHR 255.255.255.0
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any object-group DM_INLINE_NETWORK_2
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any object-group DM_INLINE_NETWORK_4
  access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 FHData 255.255.255.0
  no pager
  logging enable
  logging asdm debugging
  mtu inside 1500
  mtu outside 1500
  ip local pool 192.168.5.1 192.168.5.1-192.168.5.10 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 101 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 101 0.0.0.0 0.0.0.0
  access-group inside_access_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 10.110.10.1 1
  route inside RFN 255.255.255.0 172.25.42.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 172.25.0.0 255.255.0.0 inside
  http 10.7.72.0 255.255.255.0 inside
  http 192.168.5.0 255.255.255.0 inside
  http 192.168.5.0 255.255.255.0 outside
  http RHQNet 255.255.255.0 inside
  http RHQASAnet 255.255.255.0 inside
  http RHQASAnet 255.255.255.0 outside
  http RHQNet 255.255.255.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map0 2 match address outside_cryptomap_1
  crypto map outside_map0 2 set peer Y.Y.Y.Y
  crypto map outside_map0 2 set transform-set ESP-AES-128-SHA
  crypto map outside_map0 2 set security-association lifetime seconds 28800
  crypto map outside_map0 2 set security-association lifetime kilobytes 4608000
  crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map0 interface outside
  crypto isakmp enable outside
  crypto isakmp policy 5
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet 0.0.0.0 0.0.255.255 inside
  telnet 172.25.0.0 255.255.0.0 inside
  telnet 192.168.5.0 255.255.255.0 inside
  telnet 192.168.5.0 255.255.255.0 outside
  telnet timeout 5
  ssh 192.168.5.0 255.255.255.0 inside
  ssh 192.168.5.0 255.255.255.0 outside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol IPSec
  group-policy remotevpn internal
  group-policy remotevpn attributes
  vpn-tunnel-protocol IPSec
  vpn-group-policy remotevpn
  tunnel-group Y.Y.Y.Y type ipsec-l2l
  tunnel-group Y.Y.Y.Y general-attributes
  default-group-policy GroupPolicy1
  tunnel-group Y.Y.Y.Y ipsec-attributes
  pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  policy-map global-policy
  class inspection_default
    inspect pptp
  service-policy global_policy global
  prompt hostname context

  May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE MM Responder FSM error hi                                                                                        story (struct &0xd578cda0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3,                                                                                         EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2                                                                                        , EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_W                                                                                        AIT_MSG3, NullEvent
  May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, IKE SA MM:8e338e16 terminatin                                                                                        g:  flags 0x01000002, refcnt 0, tuncnt 0
  May 18 08:13:03 [IKEv1 DEBUG]: IP = X.X.X.X, sending delete/delete with re                                                                                        ason message
  May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Removing peer from peer table faile                                                                                        d, no match!
  May 18 08:13:03 [IKEv1]: IP = X.X.X.X, Error: Unable to remove PeerTblEntr  
  Is the result and then it repeats =)

• L2TP VPN Server only accepts one client at a time

  We have an ISA570 on Site 1 with the following Network Config:
  192.168.100.XXX
  255.255.255.0
  192.168.100.254 (GW)
  ISA570
  ISP Modem in Bridge Mode
  So let us call my location right now as site 2. Although the network setup does not matter, let me just state it.
  192.168.101.XXX
  255.255.255.0
  192.168.101.254 (GW)
  Cisco RV042
  ISP Modem in Bridge Mode
  L2TP Client Network Pool:
  192.168.103.100 - 192.168.100.200
  255.255.255.0
  DNS1 192.168.100.254
  =======================================================================================
  So here comes the situation
  Client  1 with IP address of 192.168.101.24 connects to Site 1 via L2TP. He  uses this VPN Tunnel for a desktop application which is hosted at site  1.
  Client 2 with IP address of 192.168.101.17 connects  to Site 1 via L2TP but is unsuccessful. Screen1.jpg below shows the  Windows VPN Error.
  Screen1.jpg
  I can not post my configs as of now because the WAN1 of site 1 is very congested. For now I will post the guides which I followed.
  http://www.cisco.com/en/US/docs/security/small_business_security/isa500/administration/guide/ISA500_VPN.html#wp1393916
  http://www.cisco.com/en/US/docs/security/small_business_security/isa500/administration/guide/ISA500_VPN.html#wp1479596
  What am I missing here?

  Hi Dan,
  The site-to-site VPN tunnel should still work with those settings.  For the IPSec VPN Client, we have the Cisco VPN Client that should work.  There should be a copy of it on the CD that came with the ISA500. 
  Here is a link that has information on setting up the Remote Access VPN on the ISA500:
  http://www.cisco.com/en/US/docs/security/small_business_security/isa500/technical_reference/vpn/Configuring_VPN_with_Cisco_ISA500_Series_Security_Appliances.pdf
  The section 'Configuration Examples of EzVPN, SSLVPN and Site-to-Site Between Cisco ISA500 Appliances' has an example at the beginning.
  Let me know if that helps.
  Thanks,
  Brandon