10

I am trying to setup L2TP/IPSec on our ASA5520 to support a fringe case for one of our developers. The Windows VPN subsystem apparently stores the kerberos or NTLM cookie for the login when you use the built-in vpn subsystem, and the Cisco VPN client and AnyConnect client do not do this.

When I try to connect to the VPN via Windows 7, the connection fails:


%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713119: Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
%ASA-3-713122: IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
%ASA-5-713257: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: UDP Tunnel(NAT-T)
%ASA-5-713904: Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x749f2490, mess id 0x1)!
%ASA-3-713902: Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
%ASA-5-713259: Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
%ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Specifically, I think this error has relevance:

Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: UDP Tunnel(NAT-T)

The debug from the crypto drivers doesn't appear to be much help; the below is with isakmp level 127 and ipsec level 100:


7|Apr 26 2012|02:10:38|713236|||||IP = 1.2.3.4, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
4|Apr 26 2012|02:10:30|113019|||||Group = DefaultRAGroup, Username = , IP = 1.2.3.4, Session disconnected. Session Type: IKEv1, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Apr 26 2012|02:10:30|713259|||||Group = DefaultRAGroup, IP = 1.2.3.4, Session is being torn down. Reason: Phase 2 Mismatch
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=3a0d0c58) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing IKE delete payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE SA MM:c7159238 rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:30|715065|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0x766c58e8)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
3|Apr 26 2012|02:10:30|713902|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM FSM error (P2 struct &0x766c58e8, mess id 0x1)!
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=bf34e4e7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing qm hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ipsec notify payload for msg id 1
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing blank hash payload
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, sending notify message
5|Apr 26 2012|02:10:30|713904|||||Group = DefaultRAGroup, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing IPSec SA payload
7|Apr 26 2012|02:10:30|713066|||||Group = DefaultRAGroup, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: OUTSIDE_DYN_MAP
7|Apr 26 2012|02:10:30|715059|||||Group = DefaultRAGroup, IP = 1.2.3.4, Selecting only UDP-Encapsulated-Tunnel and  UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Apr 26 2012|02:10:30|713224|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map Check by-passed: Crypto map entry incomplete!
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 65499...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 20, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 20...
7|Apr 26 2012|02:10:30|713222|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, map = vpnmap, seq = 10, ACL does not match proxy IDs src:1.2.3.4 dst:64.34.119.71
7|Apr 26 2012|02:10:30|713221|||||Group = DefaultRAGroup, IP = 1.2.3.4, Static Crypto Map check, checking map = vpnmap, seq = 10...
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing NAT-Original-Address payload
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending Phase 1 Rcv Delete message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, L2TP/IPSec session detected.
7|Apr 26 2012|02:10:30|713024|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received local Proxy Host data in ID Payload:  Address 64.34.119.71, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713025|||||Group = DefaultRAGroup, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload:  Address 10.65.3.237, Protocol 17, Port 1701
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (21) + NAT-OA (21) + NONE (0) total length : 324
7|Apr 26 2012|02:10:30|714003|||||IP = 1.2.3.4, IKE Responder starting QM: msg id = 00000001
7|Apr 26 2012|02:10:30|720041|||||(VPN-Secondary) Sending New Phase 1 SA message (type RA, remote addr 1.2.3.4, my cookie C7159238, his cookie E973BA0F) to standby unit
7|Apr 26 2012|02:10:30|715080|||||Group = DefaultRAGroup, IP = 1.2.3.4, Starting P1 rekey timer: 21600 seconds.
3|Apr 26 2012|02:10:30|713122|||||IP = 1.2.3.4, Keep-alives configured on but peer does not support keep-alives (type = None)
7|Apr 26 2012|02:10:30|713121|||||IP = 1.2.3.4, Keep-alive type for this connection: None
5|Apr 26 2012|02:10:30|713119|||||Group = DefaultRAGroup, IP = 1.2.3.4, PHASE 1 COMPLETED
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing dpd vid payload
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing hash payload
7|Apr 26 2012|02:10:30|715046|||||Group = DefaultRAGroup, IP = 1.2.3.4, constructing ID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
6|Apr 26 2012|02:10:30|713172|||||Group = DefaultRAGroup, IP = 1.2.3.4, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
7|Apr 26 2012|02:10:30|715076|||||Group = DefaultRAGroup, IP = 1.2.3.4, Computing hash for ISAKMP
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing hash payload
7|Apr 26 2012|02:10:30|714011|||||Group = DefaultRAGroup, IP = 1.2.3.4, ID_IPV4_ADDR ID received
7|Apr 26 2012|02:10:30|715047|||||Group = DefaultRAGroup, IP = 1.2.3.4, processing ID payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
7|Apr 26 2012|02:10:30|713906|||||Group = DefaultRAGroup, IP = 1.2.3.4, Generating keys for Responder...
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Connection landed on tunnel_group DefaultRAGroup
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing VID payload
7|Apr 26 2012|02:10:30|715038|||||IP = 1.2.3.4, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Apr 26 2012|02:10:30|715048|||||IP = 1.2.3.4, Send IOS VID
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing xauth V6 VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Cisco Unity VID payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing nonce payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ke payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, computing NAT Discovery hash
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing NAT-Discovery payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing nonce payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ISA_KE payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing ke payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 260
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing NAT-Traversal VID ver RFC payload
7|Apr 26 2012|02:10:30|715046|||||IP = 1.2.3.4, constructing ISAKMP SA payload
7|Apr 26 2012|02:10:30|715028|||||IP = 1.2.3.4, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 1
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing IKE SA payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received Fragmentation VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal ver 02 VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715049|||||IP = 1.2.3.4, Received NAT-Traversal RFC VID
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing VID payload
7|Apr 26 2012|02:10:30|713906|||||IP = 1.2.3.4, Oakley proposal is acceptable
7|Apr 26 2012|02:10:30|715047|||||IP = 1.2.3.4, processing SA payload
7|Apr 26 2012|02:10:30|713236|||||IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
5|Apr 26 2012|02:10:21|111005|||||1.2.3.4 end configuration: OK
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, sending delete/delete with reason message
7|Apr 26 2012|02:10:16|713906|||||IP = 1.2.3.4, IKE SA MM:b1f927e6 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
7|Apr 26 2012|02:10:16|715065|||||IP = 1.2.3.4, IKE MM Responder FSM error history (struct &0x76bd68f8)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
5|Apr 26 2012|02:10:16|111010|||||User 'pgrace', running 'CLI' from IP 1.2.3.4, executed 'logging asdm debugging'

Here's my config:


ny-asa01# sh run crypto
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route
crypto dynamic-map OUTSIDE_DYN_MAP 20 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto dynamic-map OUTSIDE_DYN_MAP 20 set nat-t-disable
crypto dynamic-map L2TP_MAP 10 set ikev1 transform-set TRANS_ESP_3DES_MD5
crypto map vpnmap 10 match address A_to_B_vpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 9.8.7.6
crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 20 match address B_TO_C_vpn
crypto map vpnmap 20 set pfs
crypto map vpnmap 20 set peer 5.4.3.2
crypto map vpnmap 20 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 300
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

 tunnel-group DefaultRAGroup general-attributes
 address-pool stackvpn_pool
 authentication-server-group RADIUS_SERVER
 accounting-server-group RADIUS_SERVER
 default-group-policy stackvpn_l2tp
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap

group-policy stackvpn_l2tp internal
group-policy stackvpn_l2tp attributes
 dns-server value 5.6.7.8 9.10.11.12
 vpn-tunnel-protocol l2tp-ipsec
 ipsec-udp enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT_TUNNEL
 address-pools value stackvpn_pool

Obviously, A phase 2 mismatch would usually be resolved by changing proposals, but unfortunately it appears that Windows 7 doesn't let you muck with the proposal settings at all. There's no way to turn on NAT-T explicitly in the Win7 config.

So, my question is thus: Is my configuration screwy? Does anyone have L2TP working properly with Windows 7 on an ASA with 8.4 loaded?

Peter Grace
  • 3,446
  • 1
  • 26
  • 42
  • 1
    Phase1 fails because you have not configured the client to use Group 2 Diffie-Helman. And yet the server requires it. – topdog Feb 08 '15 at 13:22

2 Answers2

1

I have IPSEC working in "lan-to-lan" mode between Windows 7 and an ASA with 8.3(2)13 (FIPS certified).

I'm quite sure you are correct regarding the error - if it can't negotiate an SA you are hosed.

I would try getting rid of "NAT Traversal". Of course, you might be stuck with trying to go over NAT, in which case it may be required. But that sure looks like the cause of your problem.

I guess your other option is to figure out how to get windows 7 to do the nat-traversal SA type. You might try poking around with netsh advfirewall consec on windows.

Here's a reference for it i had bookmarked. http://technet.microsoft.com/en-us/library/dd736198(v=ws.10).aspx.

One note - Windows documentation talks a LOT about how important it is to regularly re-key the connection. However, if you re-key too frequently, the ASA takes a dump and drops the connection. Make sure you don't re-key more often than every 2 minutes. Using MS's recommended # of bytes value for the rekey made it go below 2 minutes.

When we opened a support case, M$ couldn't really give any real reason for their recommendation. They sent us a big fat bill though.

Dan Pritts
  • 3,181
  • 25
  • 27
-1

For anyone coming here:

Cisco troubleshooting: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution14

If static and dynamic peers are configured on the same crypto map, the order of the crypto map entries is very important. The sequence number of the dynamic crypto map entry must be higher than all of the other static crypto map entries.

Gerrit
  • 1,347
  • 7
  • 8