RVS4000 L2TP IPSec

Trying to establish a L2TP IPSec VPN tunnels between remote Windows XP and Windows 2003 RRAS server customer.

XP remote client and the RRAS W2003 server are behind routers RVS4000.

Have established that the RRAS W2003 server will accept connections L2TP IPSec clients behind the router Cisco RVS4000 [LAN clients].

Could not establish remote through the RVS4000 router L2TP IPSec connections. Have established that PPTP VPN RVS4000 router. Both routers are running the version 1.3.0.5

Both routers 4000 RVs are configured for PPTP, IPSec, and L2TP VPN passthrough with the port UDP 1701 transferred to the RRAS server by the

RVS router 4000. VPN PPTP connections have no problems.

Error code is 792

The problem seems to be with IPSec passthrough. The port UDP 1701 is sent to the RRAS server. Unable to create port rules for IKE 500 or IP protocol 50/4500 on the RVS4000 because these policies collide with transmission UDP1701.

No indication about why the IPSec fails with the RVS4000 for remote access clients, but IPSec has managed to connect to the RRAS server using LAN clients.

1. never transfer the port UDP 1701. The port UDP 1701 is used for L2TP. However, L2TP is supposed to be in the tunnel within an IPSec tunnel. Exposing a L2TP server directly to the internet can be a security risk. Don't, don't.

2. what you must have to pass, this is port UDP 500 for IKE (establishing the IPSec connection) and possibly port TCP/UDP 4500 for NAT traversal for IPSec. There should be no conflict. If there is, I guess it's because the RVS4000 has its own implementation of IPSec.

3 LAN works because there's NAT involved and therefore there is no need of NAT traversal, port forwarding or something similar.

Tags: Cisco Support

Similar Questions

AC100 - no VPN L2TP/IPSec PSK available

Android 2.2 (Froyo) devices show for VPN connections the following possibilities: PPTP, L2TP, PSK L2TP/IPSec and L2TP/IPSec CRT (checked on several brands of smartphones).

The AC100 appears only from any PPTP and L2TP, so not L2TP/IPSec.

No idea why they are missing, and how to fix this?

Need for L2TP/IPSec to a VPN with a Sonicwall 3060/Pro.

Here is a description how to connect: [https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=8658]

Hello

AFAIK the L2TP/IPSec is only available for android devices routed.

So maybe it's the reason why the L2TP/IPSec in unavailable for AC100.

I found here a beautiful Android L2TP/IPSec VPN HowTo
http://blogs.nopcode.org/brainstorm/2010/08/22/Android-l2tpipsec-VPN-mini-HOWTO/

Maybe it might help a bit!

L2TP/IPSec connection failed for Windows 7 Ultimate for Windows Server R2 2012 with error 789.

For this preface, I use the server in a lab environment and trying to set up my own VPN L2TP/IPSec. I opened the UDP 500 and 1701 TCP ports on my router for the interface of the primary server where is the VPN. It is on a Comcast connection consumer where other applications such as Arma 3 servers dedicated and IIS have worked.
The RRAS role to run based on this tutorial: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/ I have only strayed from it using DHCP forwarding instead of a static pool of IP as my router is running a DHCP server, and if I understand correctly, the router must give IP addresses of the internal IP pool which I use for everything else. I also use the PSK authentication rather than be based certificate. For the authentication of users I have MS-CHAP-V2 and CHAP enabled; I connect from the remote device with an account on that I created on the server for the purpose of this VPN I know RRAS connections are allowed.

When the connection I get error 789: L2TP connection attempt failed because the security layer detected a processing error during initial negotiations with the remote computer. From what I've seen, this can be fixed by checking that the two ends of the connection are not behind a NAT (not an option), verification of the PSK (already done) and certificates (not applicable). If there is a way to solve this problem that would be great, but my server will always be behind a NAT firewall because the router is one, and the modem becomes one if several devices are connected to him without a router between the two.

This issue is beyond the scope of this site and must be placed on Technet or MSDN

http://social.technet.Microsoft.com/forums/en-us/home

http://social.msdn.Microsoft.com/forums/en-us/home

Windows Error VPNC3005 "unauthorized tunneling protocol" L2TP/IPSec

I'm trying to implement a vpn L2TP/IPSec to a concentrator 3005. Everything seems to work (phase 1 completed, PHASE2 full, updated tunnel, the session began and the user is authenticated with the RADIUS) but then the tunnel fell with the message "unauthorized tunneling protocol. What causes this message?

At one point the tunnel remained upward and running, but later I tried again and it failed. I don't remember changing anything in the config right.

I read somewhere that I should turn on "L2TP over IPSEC" in the group but this disables the IPSEC option and it seems to me that I need IPSec for Cisco vpn clients that need to connect.

Any suggestions?

Change the base group to allow l2tp/ipsec; Check if l2tp is enabled at the global level.

L2TP/ipsec passthrough firewall of cisco router

Hello! I have the following problem.

External network users wish to connect internal Windows to network and share resources 2012 (start the software, files, etc)

So it's time to deploy a vpn server and as I did not have a free license to run on my windows 2012, I decided to use my qnap for it (because it has this built-in feature) so I chose l2tp/ipsec and tested on the laboratory at home with simple tplink router with upnp function and it worked like a charm.

However, in the real production environment, I need to use the cisco router, and this is how the story begins ;)

Thus, clients with their machines say (7, 8.1, 10) must pass router cisco (with nat) firewall and access a vpn server and the internal network on qnap.

I googled for sample configuration, but most of them related to the configuration of the router as a vpn server, and I want to achieve is to make my pass router vpn traffic. Once I found the same sample of pptp config, I have modified it a bit, but do not know if it works because I have not yet tested.

In any case, could you check my config and see if it's ok? I'm doing a static nat for vpn 192.168.5.253 server to external address?

Also, here is a short pattern

vpn client VPN server (win 7,8,10)---routeur cisco 1921 - qnap)

xxx.194 cloud 5,254 5.253 (internal network)

test #show runn
Building configuration...

Current configuration: 3611 bytes
!
! Last modified at 19:31:01 UTC Wednesday, may 4, 2016 configuration by
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret $5
!
No aaa new-model
!
!
!
!
!
!
!
!
!
!
!
DHCP excluded-address IP 192.168.5.200 192.168.5.254
DHCP excluded-address IP 192.168.5.1 192.168.5.189
!
pool dhcp IP network
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
network domain name
xxx.x.xxx.244 DNS server
!
!
!
IP domain name temp
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
CTS verbose logging
!
!
license udi pid CISCO1921/K9 sn xxxxxx
licence start-up module c1900 technology-package securityk9
!
!
username secret abc 5
username privilege 15 7 cisco password
!
redundancy
!
!
!
!
!
property intellectual ssh version 2
!
type of class-card inspect entire game cm_helpdek_protocols
http protocol game
https protocol game
ssh protocol game
type of class-card inspect entire game cm_gre_protocols
Access-group name WILL
type of class-card inspect entire game cm_icmp
group-access icmp name game
type of class-card inspect the correspondence cm_helpdesk
match the name of group-access helpdesk
type of class-card inspect entire game inside_to_outside
h323 Protocol game
match Protocol pptp
ftp protocol game
tcp protocol match
udp Protocol game
match icmp Protocol
!
type of policy-card inspect pm_outside_to_inside
class type inspect cm_gre_protocols
Pass
class type inspect cm_icmp
inspect
class type inspect cm_helpdesk
inspect
class class by default
Drop newspaper
type of policy-card inspect pm_inside_to_outside
class type inspect inside_to_outside
inspect
class type inspect cm_gre_protocols
Pass
class class by default
Drop newspaper
!
area inside security
Description inside the zone of confidence
security of the outside area
Outside the untrusted area description
source of zonep_insiede_to_outside security pair area inside the destination outside
type of service-strategy inspect pm_inside_to_outside
source of zonep_outside_to_inside security zone-pair outside the destination inside
type of service-strategy inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description 'LAN '.
IP 192.168.5.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description "WAN CID: xxxxx".
IP address xxx.xxx.xxx.194 255.255.255.252
NAT outside IP
IP virtual-reassembly in
security of the outside Member area
automatic duplex
automatic speed
!
IP forward-Protocol ND
!
IP http server
local IP http authentication
no ip http secure server
!
IP nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
IP nat inside source list 1 pool overload the network
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
GRE extended IP access list
Note ACL to allow ACCORD of PPTP OUTBOUND
allow a gre
permit any any eq udp 1701
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
helpdesk extended IP access list
IP enable any host 192.168.5.253
icmp extended IP access list
allow icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control plan
!
!
!
Line con 0
local connection
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad telnet, rlogin xxxxx
StopBits 1
line vty 0 4
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

Kind regards

Andrew

Once the client has been connected to the VPN, you want traffic back to flow to the client. Which can be easily received with "inspect".

And from the point of view of the firewall, you do not have ESP-traffic (which would be the IP/50). You have only UDP traffic (initially UDP/500 which goes into UDP/4500)

And you are right with your last ACE. That of a lot to permissive and not necessary for this function.

Problem setting up vpn l2tp/ipsec

I tried to configure an ASA5505 with a l2tp/ipsec vpn which I can connect to with Windows Vista vpn client. I had connection problems. When I try to connect, watch windows vpn client tell an error message "error 789: the L2TP connection attempt failed because the security layer detected a processing error during initial negotiations with the remote computer." The newspaper on the SAA is errors saying "Phase 1 failure: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg was: Group 2.

It seems that the ASA does not like windows vpn client IKE proposal but I do not know if I interpret correctly this error message.

I was wondering if anyone has seen this problem or have had success with this type of installation. I have the setup of device OK so that I can connect with the Cisco VPN client, but get l2tp/ipsec Setup to work with the windows vpn client turns out to be problematic.

Can you post the Config of your ASA. Did you check the following link:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807213a7.shtml

Chrombook L2TP/IPSec for ASA 5510

Hello

I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.

Run a debug crypto isakmp 5 I see the following logs (ip changed...)

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

1.1.1.1 = address remote chromebook NAT

2.2.2.2 = ASA 5510 acting as distance termintaion access point

3.3.3.3 = Chromebook private address

I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address. Not sure if this is the cause or how to solve this problem, if it is.

Can someone advise please

Thank you

Ryan

7.2 is old code. You can re - test with 9.0.x or 9.1.x.

https://support.Google.com/Chromebook/answer/1282338?hl=en

Windows L2TP/IPSec to ASA

Hello

I configured on ASA windows L2TP/Ipsec connections. Phase 1 and 2 are successful, the tunnel is created but immediately after this deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is by default not - limitation of windows). Here is my config:

attributes of Group Policy DfltGrpPolicy
value of 10.1.1.1 WINS server
value of server DNS 10.1.1.1
VPN-idle-timeout 300
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
the authentication of the user activation
allow to NEM
NAC-parameters DfltGrpPolicy-NAC-framework-create value
WebVPN
SVC keepalive no
client of dpd-interval SVC no
dpd-interval SVC bridge no
value of customization DfltCustomization

attributes global-tunnel-group DefaultRAGroup
asa-admins address pool
authentication-server-group CSACS
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Disable ISAKMP keepalive
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication

Crypto-map dynamic outside_dyn_map 10 the value transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 MD5-ESP-3DES ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside

And here are some logs:

17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA proposal # 1, turn # 1 entry overall SA IPSec acceptable matches # 10

17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/4500
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: outgoing remote access to ITS (SPI = 0xAEA59455) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a msg KEY_ADD for SA: SPI = 0xaea59455
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: incoming remote access to ITS (SPI = 0x9D3B8BDE) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, pitcher: received KEY_UPDATE, spi 0x9d3b8bde
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, timer to generate a new key to start P2: 3060 seconds.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % 713120-5-ASA: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid = 00000001)
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193>mask <0xFFFFFFFF>port<4204>
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/1701
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-6-302016: connection UDP disassembly 56281479 for outside:193.193.193.193/4204 of identity: outside-interface/1701 duration 0:01:07 431 bytes
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-302015: built connection UDP incoming 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to the identity: outside-interface/1701 (outside-interface/1701)
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603106: L2TP Tunnel created, tunnel_id 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id 1, client_dynamic_ip is 0.0.0.0 username is user1
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50 remote_peer_ip = 193.193.193.193

17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-4-113019: Group = DefaultRAGroup, username =, IP = 193.193.193.193, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 03 s, xmt bytes: 795 bytes RRs: 1204, reason: L2TP initiated

What's wrong?

Thanx

Please go ahead and activate the following command:

ISAKMP nat-traversal crypto

Try again.

Microsoft l2tp IPSec VPN site to site ASA on top

I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

Hello

Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

See you soon,.

Daniel

L2TP/IPSec and VRRP on Cisco VPN3000

Hello. I don't know if this is the right forum, please excuse me if this is not (of course a pointer to the right we'd appreciate it :)

I'm experimenting with the implementation of VPN 3000 Concentrator series VRRP, and it seems that when the unit of "backup" takes over, no L2TP/IPsec tunnel can be established more.

When the switch takes place, the backup device takes over VRRP group IP addresses, which are the IP address of the master own as well on VPN 3000. Thus, the backup unit manages two different IP addresses, its own ad group.

Well, what I observed using a sniffer is that while the IKE/IPSec packets come well to the group address, L2TP packets are by IP address of the backup device physical and clear instead of be encapsulated in IPSec travel packages. The client computer (PC Windows 2000) clearly ignores the L2TP packets and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, however.

The foregoing does not occur when the VPN 3000 master works, like the VRRP group addresses are the same as its own interface addresses.

Now, VPN 3000 documentation or TAC documents explicitly say that L2TP/IPSec and VRRP are incompatible, but they do not mention compatibility as well (although they do mention the VRRP Protocol PPTP compatibility).

Did someone better informed than me? Is there a technical reason for the incompatibility between L2TP with VRRP, or it's a bug any?

Thank you

Roberto Patriarca

This has proved quite recently and a high severity bug has been open about it and is currently under review.

See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for more details.

Nice work well in the survey.

L2TP/IPSEC: IOS <>- Android

Hello

is there a working solution L2TP/IPSEC VPN between Cisco IOS and Android 2.1?

I'm trying to get my mobile online, but the connection is complete after 10 sek.

Any tips?

Harald

My IOS config:

VPDN enable
!
VPDN-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!

username privilege 15 secret password user

door-key crypto l2tpvpn
pre-shared key address 0.0.0.0 0.0.0.0 test key
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600

test key crypto isakmp 0.0.0.0 address 0.0.0.0

Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP-TS
!
Dynvpn crypto dynamic-map 1
Set nat demux
game of transformation-L2TP-TS

map CRYPTOMAP 20-isakmp ipsec crypto dynamic dynvpn

interface virtual-Template1
IP unnumbered Ethernet0
the peer default VPN ip address pool
KeepAlive 5
PPP authentication ms-chap-v2

interface BVI1
IP address 212.xxx.xxx.xxx 255.255.255.0
NAT outside IP
IP virtual-reassembly
by default auto-configured IPv6 address
enable IPv6
card crypto CRYPTOMAP
!
local pool IP VPN 172.17.0.1 172.17.0.10

Some debugs:

IOS #.
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): politics of ITS phase 2 is not acceptable! (local 212.xxx.xxx.xxx remote 80.xxx.xxx.xxx)
Jul 2 16:00:01.816 it IS: ISAKMP: (0:13:HW:2): node-1463956874 error suppression REAL reason "QM rejected."
Jul 2 16:00:01.816 it IS: ISAKMP (0:268435469): unknown entry IKE_MESG_FROM_PEER, IKE_QM_EXCH: node-1463956874: State = IKE_QM_R EADY
Jul 2 16:00:01.820 it IS: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 80.xxx.xxx.xxx

IOS #.
Jul 2 16:00:32.695 it IS: L2X: Parse AVP flag 0, len 8, 0 x 8000 (M)
16:00:32.695 2 Jul CEST: L2X: Parse SCCRQ
Jul 2 16:00:32.695 it IS: L2X: Parse AVP 2 flag, len 8, 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: Protocol Version 1
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 7, len 15, flag 0 x 8000 (M)
Jul 2 16:00:32.699 it IS: L2X: anonymous host name
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: framing course 0 x 3
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 9 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Tunnel ID 3545 assigned
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 10 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Rx 1 window size
Jul 2 16:00:32.703 it IS: L2X: no missing AVPs in SCCRQ
Jul 2 16:00:32.703 it IS: L2X: I SCCRQ, flg TLS, worm 2, len 69, NL 0 ns 0, nr 0
contiguous Pak, size 69
C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00
00 00 00 01 80 08 00 00 00 02 01 00 80 00 00 0F
00-07-61 6TH 6TH 6F 6F 79 6 75 73 80 0 A 00 00 00
03 00 00 00 03 80 08 00 00 00 09 0D 80 08 00 D9
00 00 0 A 00 01
Jul 2 16:00:32.707 it IS: L2TP: I LNP SCCRQ anonymous 3545
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: authorization of Tunnel began to host anonymous
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: new tunnel created for remote anonymous, address 80.xxx.xxx.xxx
Jul 2 16:00:32.715 it IS: L2X: response to author Tunnel L2X info not found
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: O SCCRP anonymous 3545 tnlid
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.715 2 Jul CEST: LNP 55994 L2TP: Parse SCCRP
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 2, len 8, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Protocol Version 1
Jul 2 16:00:32.719 it IS: L2TP 55994 LNP: Parse AVP 6 flag, len 8, 0 x 0
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Firmware Ver 0 x 1120
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 7, len 9, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Hostname IOS
Jul 2 16:00:32.723 it IS: L2TP 55994 LNP: flag of Parse AVP 8, len 25, 0 x 0
16:00:32.723 2 Jul CEST: LNP 55994 L2TP: name provider Cisco Systems, Inc.
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 10, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: Rx 300 window size
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: assigned Tunnel ID 55994
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: framing course 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: Parse AVP 4, len 10, flag 0 x 8000 (M)
16:00:32.731 2 Jul CEST: LNP 55994 L2TP: bearer Cap 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: O SCCRP, flg TLS, worm 2, len 106, LNP 3545, ns 0 nr 1
C8 02 00 6A 00 00 00 00 00 01 80 08 00 00 D9 0D
00 00 00 02 80 08 00 00 00 02 01 00 00 08 00 00
00 06 11 20 80 09 00 00 00 07 49 53 00 19 00 4F
00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6 D 73
2 20 49 6 2 63 80...
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: Tunnel of status change from idle to wait-ctl-reply
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.887 2 Jul CEST: LNP 55994 L2TP: Parse SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: no missing AVPs in SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: I SCCCN, flg TLS, worm 2, len 20, LNP 55994 ns 1, n ° 1
contiguous Pak, size 20
C8 02 00 14 DA 00 00 00 01 00 01 80 08 00 00 BA
00 00 00 03
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 1, n ° 2
C8 02 00 00 00 00 01 00 02 D9 0D 0C
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: I LNP SCCCN anonymous 3545
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: Tunnel of change of State of wait-ctl-reply to set up
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: SM established State
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: Parse ICRQ
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: assigned Call ID 43765
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 15, len 10, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: serial number 1986235932
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: no missing AVPs in ICRQ
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I ICRQ, flg TLS, worm 2, len 38, LNP 55994 ns 2, n ° 1
contiguous Pak, size 38
C8 02 00 26 DA 00 00 00 02 00 01 80 08 00 00 BA
00 00 00 0 A 80 08 00 00 00 0E AA 80 0 A 00 00 F5
0F 00 76 63 8F 1 C
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I LNP ICRQ anonymous 3545
Jul 2 16:00:33.099 it IS: nl/Sn 55994/18 L2TP: change of State of Session idle for wait-connect
Jul 2 16:00:33.099 it IS: L2TP 55994/18 LNP/Sn: accepted ICRQ, new session created
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ICRP to anonymous 3545/43765
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse IPRC
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: call ID assigned 18
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: O IPRC, flg TLS, len 28, LNP 3545, lsid 18, rsid 43765, worm 2, ns 1, no. 3
C8 02 00 1 C F5 00 01 00 03 80 08 00 00 AA D9 0D
00 00 00 0 B 80 08 00 00 00 0E 00 12
Jul 2 16:00:33.107 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse ICCN
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 24, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: connect speed 100000000
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 19, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: framing Type 3
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: no missing AVPs to ICCN
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: I ICCN, flg TLS, worm 2, len 40, LNP 55994, 18, rsid 43765 lsid, ns 3, n ° 2
contiguous Pak, size 40
C8 02 00 28 DA 00 12 00 03 00 02 80 08 00 00 BA
00 00 00 0 C 80 0 A 00 00 00 18 05 F5 E1 00 0 A 80
00 00 00 13 00 00 00 03
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, 18, rsid 43765 lsid, ns 2, nr 4
C8 02 00 00 00 00 02 00 04 D9 0D 0C
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: I have anonymous LNP 3545 ICCN, cl 43765
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: change of State of waiting Session - connect to wait-for-service-selection-iccn
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending send 0xFFFFFFFF ACCM and receive ACCM 0xFFFFFFFF
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.275 2 Jul CEST: LNP 55994 L2TP: Parse SLI
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: Parse AVP 35, len 16, flag 0 x 8000 (M)
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 2 nr 4
C8 02 00 24 AA D9 00 02 00 04 80 08 00 00 0D F5
00 00 00 10 80 10 00 00 00 23 00 00 FF FF FF FF
FF FF FF FF
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.283 THATS: ppp25 PPP: send a Message [dynamic Bind response]
Jul 2 16:00:33.283 THATS: ppp25 PPP: via vpn, set the direction of the call
Jul 2 16:00:33.283 THATS: ppp25 PPP: treatment of connection as a callin
Jul 2 16:00:33.283 THATS: ppp25 PPP: id of Session Session handle [A300003D] [25]
Jul 2 16:00:33.283 THATS: ppp25 PPP: Phase is ESTABLISHING, Passive open
Jul 2 EST 16:00:33.283: ppp25 TPIF: State is listening
Jul 2 EST 16:00:33.475: ppp25 TPIF: I CONFREQ [listen] id 1 len 24
Jul 2 EST 16:00:33.475: ppp25 TPIF: MRU 1400 (0 x 01040578)
Jul 2 EST 16:00:33.479: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.479: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.479: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.479: ppp25 TPIF: RAC (0 x 0802)
Jul 2 16:00:33.479 THATS: ppp25 PPP: required authorization
Jul 2 EST 16:00:33.479: ppp25 TPIF: O CONFREQ [listen] id 1 len 25
Jul 2 EST 16:00:33.483: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.483: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.483: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.483: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.483: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.483: ppp25 TPIF: O CONFNAK [listen] id 1 len 8
Jul 2 EST 16:00:33.487: ppp25 TPIF: MRU 1500 (0x010405DC)
Jul 2 EST 16:00:33.635: ppp25 TPIF: I CONFACK [REQsent] id 1 len 25
Jul 2 EST 16:00:33.635: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.639: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.639: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.639: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.639: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.647: ppp25 TPIF: I CONFREQ [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.647: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.647: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.647: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.647: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: O CONFACK [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.651: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.651: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.651: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.651: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: State is open
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending sending ACCM 0x00000000 and receive ACCM 0x000A0000
Jul 2 16:00:33.655 THATS: ppp25 PPP: Phase is AUTHENTICATING,
Jul 2 16:00:33.659 THATS: ppp25 MS-CHAP-V2: O CHALLENGE id 1 len 24 'IOS '.
Jul 2 16:00:33.847 THATS: ppp25 MS-CHAP-V2: I ANSWER id 1 len 59 of 'user '.
Jul 2 16:00:33.847 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.851 THATS: ppp25 PPP: Phase is AUTHENTICATING, unauthenticated user
Jul 2 16:00:33.851 THATS: ppp25 PPP: request sent MSCHAP_V2 LOGIN
Jul 2 16:00:33.891 THATS: ppp25 PPP: received LOGIN response PASS
Jul 2 16:00:33.891 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.891 THATS: ppp25 PPP: send a Message [Local connection]
Jul 2 16:00:33.899 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: virtual interface created for the unknown, bandwidth 100000 Kbps
Jul 2 16:00:33.899 THATS: ppp25 PPP: link [Virtual - Access3.1]
2 Jul EST 16:00:33.903: Vi3.1 PPP: Send Message [static response Bind]
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session waiting-for-service-selection-iccn Workbench
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: VPDN session upwards
Jul 2 16:00:33.907 THATS: Vi3.1 PPP: Phase is AUTHENTICATING, authenticated user
2 Jul EST 16:00:33.911: Vi3.1 PPP: LCP AUTHOR asked
2 Jul EST 16:00:33.911: Vi3.1 PPP: sent CPIW AUTHOR request
2 Jul EST 16:00:33.911: Vi3.1 TPIF: received AAA AUTHOR response PASS
2 Jul EST 16:00:33.915: Vi3.1 IPCP: received AAA AUTHOR response PASS
Jul 2 16:00:33.915 THATS: Vi3.1 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "S = D216E8EA91BF8126B5CF3D0CAA7AFF2B580216AA".
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: Phase is in PLACE
Jul 2 16:00:33.919 THATS: Vi3.1 CPIW: O CONFREQ [Closed] id 1 len 10
2 Jul EST 16:00:33.919: Vi3.1 CPIW: address 192.168.0.254 (0x0306AC1000FE)
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: process pending ncp packets
Jul 2 16:00:34.067 THATS: Vi3.1 CCP: I CONFREQ [not negotiated] id 1 len 15
2 Jul EST 16:00:34.067: Vi3.1 CCP: deflate 0 x 7800 (0x1A047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: MVRMA 0 x 7800 (0 x 18047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: BSDLZW 47 (0x15032F)
Jul 2 EST 16:00:34.071: Vi3.1 TPIF: Protocol of 21 O PROTREJ [open] id len 2 CCP
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x80FD0101000F1A047800180478001503)
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x2F)
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: I CONFREQ [REQsent] id 1 len 28
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.075: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: start. We want his address 0.0.0.0 0.0.0.0
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: fact. We want his address 0.0.0.0 0.0.0.0
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: pool returned 172.17.0.1
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: O CONFREJ [REQsent] id 1 len 10
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: I CONFACK [REQsent] id 1 len 10
2 Jul EST 16:00:34.079: Vi3.1 CPIW: address 172.16.0.254 (0x0306AC1000FE)
Jul 2 16:00:34.283 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.283: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
Jul 2 16:00:34.287 THATS: Vi3.1 CPIW: O CONFNAK [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.287: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.291 it IS: LNP 55994 L2TP: 3 added to resendQ, updated nr 4 and sent through peer review
Jul 2 16:00:34.295 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 3 nr 4
C8 02 00 24 0D AA 00 03 00 04 80 08 00 00 F5 D9
00 00 00 10 80 10 00 00 00 23 00 00 00 00 00 00
0 A 00 00 00
Jul 2 16:00:34.447 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.447: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.447: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: O CONFACK [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.451: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.451: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: State is open
Jul 2 16:00:34.459 THATS: Vi3.1 CPIW: install road to 172.17.0.1
Jul 2 16:00:35.303 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds

IOS #ping 172.17.0.1

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.17.0.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 156/160/172 ms
IOS #.

Jul 2 EST 16:00:45.547: Vi3.1 TPIF: I TERMREQ [open] id 3 len 16 (0 x 557365722072657175657374)
Jul 2 EST 16:00:45.547: Vi3.1 TPIF: O TERMACK [open] id 3 len 4
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: sending Acct event [low] id [F0D]
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: Phase ENDS
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:45.955 2 Jul CEST: LNP 55994 L2TP: Parse StopCCN
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:45.959 2 Jul CEST: LNP 55994 L2TP: Tunnel ID 3545 assigned
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: Parse AVP 1, len 8, flag 0 x 8000 (M)
Jul 2 16:00:45.959 it IS: L2X: lead (6): 6: applicant is either stopped
Jul 2 16:00:45.959 it IS: code (0) error: no error
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: no missing AVPs in StopCCN
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: I StopCCN, flg TLS, worm 2, len 36, LNP 55994 ns 4, no. 4
contiguous Pak, size 36
C8 02 00 24 DA 00 00 00 04 00 04 80 08 00 00 BA
00 00 00 04 80 08 00 00 00 09 0D 80 08 00 00 D9
00 01 00 06
Jul 2 16:00:45.963 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 4, no. 5
C8 02 00 00 00 00 04 00 05 D9 0D 0C
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: I LNP StopCCN anonymous 3545
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: changing the status of the Tunnel created for withdrawal
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: tunnel of Shutdown
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: disconnect (L2X) IETF: 9/Ascend nas-error: 65/VPDN Tunnel down / installation fails
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: destruction of session
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session bench in slow motion
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: judgment of accounting sent
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: session without commitment of the IDB
Jul 2 16:00:45.971 THATS: Vi3.1 VPDN: interface reset
Jul 2 16:00:45.975 THATS: Vi3.1 PPP: block vaccess to be released [0 x 19]
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: Tunnel State closing down all by destroying the session
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: changing the State of closing down to the idle-Tunnel
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: link broken down notification
Jul 2 EST 16:00:46.179: Vi3.1 TPIF: State is closed
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: Phase is BROKEN
Jul 2 16:00:46.179 THATS: Vi3.1 CPIW: State is closed
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by 0 x [1] always locked by 0 x [18]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x10] always locked by [0 x 8]
2 Jul EST 16:00:46.183: Vi3.1 PPP: Send Message [logout]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x8] always locked by 0 x [0]
Jul 2 16:00:46.183 THATS: Vi3.1 PPP: free previously blocked vaccess
Jul 2 16:00:46.187 THATS: Vi3.1 CPIW: Remove the road to 172.17.0.1

Harold,

I need of debugs more to be sure, but it seems that the quick mode ipsec fails (phase 2). Try changing your transformation set to use "transport mode", because I believe that required for l2tp/ipsec.

If it does not, it should be him debugs full for "debug crypto isakmp" and "debug crypto ipsec".

-Jason

default DNS does not not in l2tp/ipsec

Hi all

We have Setup l2tp on asa, everything works except the default domain that is not defined. This is necessary because all the links does not provide full dns:

It's cisco config:

IP mask 255.255.255.224 local pool ClientVPNAddressPool 172.16.31.1 - 172.16.31.32

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS-ESP-3DES-MD5 ikev1

card crypto PublicTESA_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

PublicTESA_map PublicTESA crypto map interface

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server DNS X.X.X.X Y.Y.Y.Y

Protocol-tunnel-VPN l2tp ipsec

value by default-field AAA. BBBBBBB

the address value ClientVPNAddressPool pools

It's windows ipconfig/all:

Useful PPP VPN from Cisco ASA :--> name of the connection

Sufijo DNS specific para the conexion. . :--> suffix DNS specific connections (in WHITE)

Descripción...: Cisco ASA VPN--> description

Dirección física... :--> physiqueet address

DHCP enable...: don't--> active dhcp

Automatica habilitada... config: if--> active auto config

172.16.31.1 (Preferido) IPv4 address... :--> IP address

Subred... mascara:--> netmask 255.255.255.255

Puerta of enlace... by default: 0.0.0.0--> default GW

Servidores DNS...: X.X.X.X--> dns servers

Y.Y.Y.Y

Sober NetBIOS TCP/IP...: enable--> net bios on tcp active

Thank you!

Hi Jose,

L2TP over IPsec will not be able to receive the DNS suffix.

This is a limitation of the PPP. More information:

http://cdetsweb-PRD.Cisco.com/apps/dumpcr?identifier=CSCse74376&parentprogram=QDDTS

Marcin

Support for L2TP/IpSec VPN on 1921

Hello

I am not able to find an answer on something very simple... Fact of 1921 Cisco router supports L2TP/IpSec VPN connections? (from Windows 7 clients)

If she could please point me to the right location/document where I can read more about it.

I already tried with the configuration below, but command ppp under a virtual-Template1 don't output interface.

Thank you very much for your answers.

Kind regards

Herman

# VPN configuration I've tried, but it did not work.

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

life 4000

ISAKMP crypto key xxxxxxx address X.X.X.X (ip strongvpn)

!

!

Crypto ipsec transform-set ESP-AES256-SHA1 esp - aes 256 esp-sha-hmac

transport mode

!

Map 10 IPSEC L2TP ipsec-isakmp crypto

defined peer X.X.X.X

game of transformation-ESP-AES256-SHA1

match address 101

!

!

!

Pseudowire-class pwclass1

encapsulation l2tpv2

local IP interface FastEthernet0/0

PMTU IP

!

!

!

!

interface FastEthernet0/0

DHCP IP address

automatic duplex

automatic speed

card crypto IPSEC L2TP

!

interface FastEthernet0/1

IP 10.20.20.1 255.255.255.0

IP nat inside

IP virtual-reassembly

automatic duplex

automatic speed

!

interface Serial0/0/0

no ip address

Shutdown

!

interface Serial0/1/0

no ip address

Shutdown

2000000 clock frequency

!

virtual-PPP1 interface

the negotiated IP address

IP mtu 1399

NAT outside IP

IP virtual-reassembly max-pumping 64

No cdp enable

PPP authentication ms-chap-v2 callin

PPP chap hostname vpnxxx

PPP chap password 0 xxxxxxxxxx

Pseudowire pw-class 1, pwclass1 X.X.X.X

##################################################################################################################

Cisco-gw #show version

Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.2 (4) M2, VERSION of the SOFTWARE (fc2)

Technical support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Updated Thursday, November 7, 12 and 12:45 by prod_rel_team

ROM: System Bootstrap, Version 15.0 M16 (1r), RELEASE SOFTWARE (fc1)

Cisco-gw uptime is 2 days, 4 hours, 22 minutes

System to regain the power ROM

System restart to 09:11:07 PCTime Tuesday, April 2, 2013

System image file is "usbflash0:c1900 - universalk9-mz.» Spa. 152 - 4.M2.bin.

Last reload type: normal charging

Reload last reason: power

This product contains cryptographic features and is under the United States

States and local laws governing the import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third party approval to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. laws and local countries. By using this product you

agree to comply with the regulations and laws in force. If you are unable

to satisfy the United States and local laws, return the product.

A summary of U.S. laws governing Cisco cryptographic products to:

http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

If you need assistance please contact us by mail at

[email protected] / * /.

Cisco CISCO1921/K9 (revision 1.0) with 491520K / 32768K bytes of memory.

Card processor ID FCZ170793UH

2 gigabit Ethernet interfaces

1 line of terminal

1 module of virtual private network (VPN)

Configuration of DRAM is 64 bits wide with disabled parity.

255K bytes of non-volatile configuration memory.

249840K bytes of Flash usbflash0 (read/write)

License info:

License IDU:

-------------------------------------------------

Device SN # PID

-------------------------------------------------

* 0 CISCO1921/K9

Technology for the Module package license information: "c1900".

-----------------------------------------------------------------

Technology-technology-package technology

Course Type next reboot

------------------------------------------------------------------

IPBase ipbasek9 ipbasek9 Permanent

Security securityk9 Permanent securityk9

given none none none

Configuration register is 0 x 2102

Yes, it is supported.

http://www.Cisco.com/en/us/Tech/tk827/tk369/technologies_configuration_example09186a0080094501.shtml#iosforl2tp

It is necessary to configure the encapsulation under virtual-model.

Note: you will have much better results by using the IPSec VPN or SSL VPN client AnyConnect client.

RIP on l2tp ipsec tunnel asa5505

Hello

Trying to rip of installation on an l2tp (ipsec) tunnel.

In the other end I have a windows machine that using the rip listener.

Can not get to work.

If it works?

Some have ideas how I should do the config?

Niklas

Niklas,

I would look good a solution on the windows side.

Verification of some discussions, I can see that we can ship classless routes (249) using DHCP for windows clients:

http://support.Microsoft.com/kb/121005

The ASA will need "intercept-dhcp" configured to correctly this.

Or use pure IPsec client and ;-) split tunneling features

Marcin

Problem Cisco 2811 with L2TP IPsec VPN

Hello. Sorry for my English. Help me please. I have problem with L2TP over IPsec VPN when I connect with Android phones. Even if I connect with laptop computers. I have Cisco 2811 - Cisco IOS software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4 (2) T2, (fc3) SOFTWARE VERSION. I configured on L2TP over IPsec VPN with Radius Authentication

My config:

!
AAA new-model
!
!
AAA authentication login default local
Ray of AAA for authentication ppp default local group
AAA authorization network default authenticated if
start-stop radius group AAA accounting network L2TP_RADIUS

!
dhcp L2tp IP pool
network 192.168.100.0 255.255.255.0
default router 192.168.100.1
domain.local domain name
192.168.101.12 DNS server
18c0.a865.c0a8.6401 hexagonal option 121
18c0.a865.c0a8.6401 hexagonal option 249

VPDN enable
!
VPDN-group sec_groupe
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel

session of crypto consignment
!
crypto ISAKMP policy 5
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 55
BA 3des
md5 hash
preshared authentication
Group 2

ISAKMP crypto key... address 0.0.0.0 0.0.0.0
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 10 periodicals
!
life crypto ipsec security association seconds 28000
!
Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP
transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DESMD5
need transport mode
!

!
!
crypto dynamic-map DYN - map 10
Set nat demux
game of transformation-L2TP
!
!
Crypto map 10 L2TP-VPN ipsec-isakmp dynamic DYN-map

interface Loopback1
Description * L2TP GateWay *.
IP 192.168.100.1 address 255.255.255.255

interface FastEthernet0/0
Description * Internet *.
address IP 95.6... 255.255.255.248
IP access-group allow-in-of-wan in
IP access-group allows-off-of-wan on
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
IP route cache policy
automatic duplex
automatic speed
L2TP-VPN crypto card
!

interface virtual-Template1
Description * PPTP *.
IP unnumbered Loopback1
IP access-group L2TP_VPN_IN in
AutoDetect encapsulation ppp
default IP address dhcp-pool L2tp peer
No keepalive
PPP mtu Adaptive
PPP encryption mppe auto
PPP authentication ms-chap-v2 callin
PPP accounting L2TP_RADIUS

L2TP_VPN_IN extended IP access list
permit any any icmp echo
IP 192.168.100.0 allow 0.0.0.255 192.168.101.0 0.0.0.255
IP 192.168.100.0 allow 0.0.0.255 192.168.3.0 0.0.0.255
allow udp any any eq bootps
allow udp any any eq bootpc
deny ip any any journal entry

RADIUS-server host 192.168.101.15 auth-port 1812 acct-port 1813
RADIUS server retry method reorganize
RADIUS server retransmit 2
Server RADIUS 7 key...

Debugging shows me

234195: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet dport 500 sport 500 SA NEW Global (N)
234196: * 3 Feb 18:53:38: ISAKMP: created a struct peer 93.73.161.229, peer port 500
234197: * 3 Feb 18:53:38: ISAKMP: new position created post = 0x47D305BC peer_handle = 0x80007C5F
234198: * 3 Feb 18:53:38: ISAKMP: lock struct 0x47D305BC, refcount 1 to peer crypto_isakmp_process_block
234199: * 3 Feb 18:53:38: ISAKMP: 500 local port, remote port 500
234200: * 3 Feb 18:53:38: insert his with his 480CFF64 = success
234201: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234202: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_READY = IKE_R_MM1
234203: * 3 Feb 18:53:38: ISAKMP: (0): treatment ITS payload. Message ID = 0
234204: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234205: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234206: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234207: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234208: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234209: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234210: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234211: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234212: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234213: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234214: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234215: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234216: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234217: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234218: * 3 Feb 18:53:38: ISAKMP: (0): success
234219: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234220: * 3 Feb 18:53:38: ISAKMP: (0): pre-shared key local found
234221: * 3 Feb 18:53:38: ISAKMP: analysis of the profiles for xauth...
234222: * 3 Feb 18:53:38: ISAKMP: (0): audit ISAKMP transform 1 against policy priority 5
234223: * 3 Feb 18:53:38: ISAKMP: type of life in seconds
234224: * 3 Feb 18:53:38: ISAKMP: life (basic) of 28800
234225: * 3 Feb 18:53:38: ISAKMP: 3DES-CBC encryption
234226: * 3 Feb 18:53:38: ISAKMP: pre-shared key auth
234227: * 3 Feb 18:53:38: ISAKMP: SHA hash
234228: * 3 Feb 18:53:38: ISAKMP: group by default 2
234229: * 3 Feb 18:53:38: ISAKMP: (0): atts are acceptable. Next payload is 3
234230: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234231: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 69
234232: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234233: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 164
234234: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234235: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 123
234236: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is NAT - T v2
234237: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234238: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 221
234239: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234240: * 3 Feb 18:53:38: ISAKMP: (0): provider ID seems the unit/DPD but major incompatibility of 194
234241: * 3 Feb 18:53:38: ISAKMP: (0): load useful vendor id of treatment
234242: * 3 Feb 18:53:38: ISAKMP: (0): provider ID is DPD
234243: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234244: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM1

234245: * 3 Feb 18:53:38: ISAKMP: (0): built the seller-02 ID NAT - t
234246: * 3 Feb 18:53:38: ISAKMP: (0): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_SA_SETUP
234247: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234248: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM1 = IKE_R_MM2

234249: * 3 Feb 18:53:38: ISAKMP (0:0): received 93.73.161.229 packet 500 Global 500 (R) sport dport MM_SA_SETUP
234250: * 3 Feb 18:53:38: ISAKMP: (0): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234251: * 3 Feb 18:53:38: ISAKMP: (0): former State = new State IKE_R_MM2 = IKE_R_MM3

234252: * 3 Feb 18:53:38: ISAKMP: (0): processing KE payload. Message ID = 0
234253: * 3 Feb 18:53:38: crypto_engine: create DH shared secret
234254: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET (hw) (ipsec)
234255: * 3 Feb 18:53:38: ISAKMP: (0): processing NONCE payload. Message ID = 0
234256: * 3 Feb 18:53:38: ISAKMP: (0): looking for a key corresponding to 93.73.161.229 in default
234257: * 3 Feb 18:53:38: ISAKMP: (0): success
234258: * 3 Feb 18:53:38: ISAKMP: (0): pair found pre-shared key matching 93.73.161.229
234259: * 3 Feb 18:53:38: crypto_engine: create IKE SA
234260: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_SA_CREATE (hw) (ipsec)
234261: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234262: * 3 Feb 18:53:38: ISAKMP: receives the payload type 20
234263: * 3 Feb 18:53:38: ISAKMP (0:5912): NAT found, the node outside NAT
234264: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234265: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM3

234266: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending my_port 500 peer_port 500 (R) MM_KEY_EXCH
234267: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234268: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM3 = IKE_R_MM4

234269: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) MM_KEY_EXCH sport
234270: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234271: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234272: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
234273: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM4 = IKE_R_MM5

234274: * 3 Feb 18:53:38: ISAKMP: (5912): payload ID for treatment. Message ID = 0
234275: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 192.168.1.218
Protocol: 17
Port: 500
Length: 12
234276: * 3 Feb 18:53:38: ISAKMP: (5912): peer games * no * profiles
234277: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID = 0
234278: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234279: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234280: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234281: * 3 Feb 18:53:38: ISAKMP: (5912): SA has been authenticated with 93.73.161.229
234282: * 3 Feb 18:53:38: ISAKMP: (5912): port detected floating port = 4500
234283: * 3 Feb 18:53:38: ISAKMP: attempts to insert a peer and inserted 95.6.../93.73.161.229/4500/ 47D305BC successfully.
234284: * 3 Feb 18:53:38: ISAKMP: (5912): IKE_DPD is enabled, the initialization of timers
234285: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
234286: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_R_MM5

234287: * 3 Feb 18:53:38: ISAKMP: (5912): ITS been pre-shared key, using id ID_IPV4_ADDR type authentication
234288: * 3 Feb 18:53:38: ISAKMP (0:5912): payload ID
next payload: 8
type: 1
address: 95.6...
Protocol: 17
Port: 0
Length: 12
234289: * 3 Feb 18:53:38: ISAKMP: (5912): the total payload length: 12
234290: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234291: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234292: * 3 Feb 18:53:38: crypto_engine: package to encrypt IKE
routerindc #.
234293: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234294: * 3 Feb 18:53:38: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) MM_KEY_EXCH
234295: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
234296: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_R_MM5 = IKE_P1_COMPLETE

234297: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
234298: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

234299: * 3 Feb 18:53:38: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234300: * 3 Feb 18:53:38: ISAKMP: node set-893966165 to QM_IDLE
234301: * 3 Feb 18:53:38: crypto_engine: package to decipher IKE
234302: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234303: * 3 Feb 18:53:38: crypto_engine: hash generate IKE
234304: * 3 Feb 18:53:38: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234305: * 3 Feb 18:53:38: ISAKMP: (5912): HASH payload processing. Message ID =-893966165
234306: * 3 Feb 18:53:38: ISAKMP: (5912): treatment protocol NOTIFIER INITIAL_CONTACT 1
SPI 0, message ID =-893966165, his 480CFF64 =
234307: * 3 Feb 18:53:38: ISAKMP: (5912): SA authentication status:
authenticated
234308: * 3 Feb 18:53:38: ISAKMP: (5912): process of first contact.
dropping existing phase 1 and 2 with 95.6 local... 93.73.161.229 remote remote port 4500
234309: * 3 Feb 18:53:38: ISAKMP: (5912): node-893966165 error suppression FALSE reason 'informational (en) State 1.
234310: * 3 Feb 18:53:38: ISAKMP: (5912): entry = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
234311: * 3 Feb 18:53:38: ISAKMP: (5912): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE

234312: * 3 Feb 18:53:38: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234313: * 3 Feb 18:53:39: % s-6-IPACCESSLOGRL: registration of limited or missed rates 150 packages of access list
234314: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234315: * 3 Feb 18:53:39: ISAKMP: node set-1224389198 to QM_IDLE
234316: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234317: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234318: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234319: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234320: * 3 Feb 18:53:39: ISAKMP: (5912): HASH payload processing. Message ID =-1224389198
234321: * 3 Feb 18:53:39: ISAKMP: (5912): treatment ITS payload. Message ID =-1224389198
234322: * 3 Feb 18:53:39: ISAKMP: (5912): proposal of IPSec checking 1
234323: * 3 Feb 18:53:39: ISAKMP: turn 1, ESP_3DES
234324: * 3 Feb 18:53:39: ISAKMP: attributes of transformation:
234325: * 3 Feb 18:53:39: ISAKMP: type of life in seconds
234326: * 3 Feb 18:53:39: ISAKMP: life of HIS (basic) of 28800
234327: * 3 Feb 18:53:39: ISAKMP: program is 61444 (Transport-UDP)
234328: * 3 Feb 18:53:39: ISAKMP: authenticator is HMAC-SHA
234329: * 3 Feb 18:53:39: CryptoEngine0: validate the proposal
234330: * 3 Feb 18:53:39: ISAKMP: (5912): atts are acceptable.
234331: * 3 Feb 18:53:39: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 95.6..., distance = 93.73.161.229,.
local_proxy = 95.6.../255.255.255.255/17/1701 (type = 1),
remote_proxy = 93.73.161.229/255.255.255.255/17/0 (type = 1),
Protocol = ESP, transform = esp-3des esp-sha-hmac (UDP Transport),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
234332: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234333: * 3 Feb 18:53:39: ISAKMP: (5912): processing NONCE payload. Message ID =-1224389198
234334: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234335: * 3 Feb 18:53:39: ISAKMP: (5912): payload ID for treatment. Message ID =-1224389198
234336: * 3 Feb 18:53:39: ISAKMP: (5912): ask 1 spis of ipsec
234337: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234338: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_READY = IKE_QM_SPI_STARVE
234339: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234340: * 3 Feb 18:53:39: IPSEC (spi_response): spi getting 834762579 for SA
of 95.6... to 93.73.161.229 for prot 3
234341: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234342: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
234343: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
routerindc #.
234344: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234345: * 3 Feb 18:53:39: crypto_engine: create Security Association IPSec (by QM)
234346: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IPSEC_KEY_CREATE (hw) (ipsec)
234347: * 3 Feb 18:53:39: ISAKMP: (5912): establishing IPSec security associations
234348: * 3 Feb 18:53:39: from 93.73.161.229 to 95.6 SA... (f / i) 0 / 0
(93.73.161.229 to 95.6 proxy...)
234349: * 3 Feb 18:53:39: spi 0x31C17753 and id_conn a 0
234350: * 3 Feb 18:53:39: life of 28800 seconds
234351: * 3 Feb 18:53:39: ITS 95.6 outgoing... to 93.73.161.229 (f / i) 0/0
(proxy 95.6... to 93.73.161.229)
234352: * 3 Feb 18:53:39: spi 0x495A4BD and id_conn a 0
234353: * 3 Feb 18:53:39: life of 28800 seconds
234354: * 3 Feb 18:53:39: crypto_engine: package to encrypt IKE
234355: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT (hw) (ipsec)
234356: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234357: * 3 Feb 18:53:39: map_db_find_best found no corresponding card
234358: * 3 Feb 18:53:39: IPSec: rate allocated for brother 80000273 Flow_switching
234359: * 3 Feb 18:53:39: IPSEC (policy_db_add_ident): 95.6..., src dest 93.73.161.229, dest_port 4500

234360: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 95.6..., sa_proto = 50.
sa_spi = 0x31C17753 (834762579).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1165
234361: * 3 Feb 18:53:39: IPSEC (create_sa): its created.
(his) sa_dest = 93.73.161.229, sa_proto = 50,.
sa_spi = 0x495A4BD (76915901).
sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 1166
234362: * 3 Feb 18:53:39: ISAKMP: (5912): lot of 93.73.161.229 sending peer_port my_port 4500 4500 (R) QM_IDLE
234363: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY
234364: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_SPI_STARVE = IKE_QM_R_QM2
234365: * 3 Feb 18:53:39: ISAKMP (0:5912): received 93.73.161.229 packet dport 4500 4500 Global (R) QM_IDLE sport
234366: * 3 Feb 18:53:39: crypto_engine: package to decipher IKE
234367: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT (hw) (ipsec)
234368: * 3 Feb 18:53:39: crypto_engine: hash generate IKE
234369: * 3 Feb 18:53:39: CryptoEngine0: CRYPTO_ISA_IKE_HMAC (hw) (ipsec)
routerindc #.
234370: * 3 Feb 18:53:39: ISAKMP: (5912): node-1224389198 error suppression FALSE reason 'QM (wait).
234371: * 3 Feb 18:53:39: ISAKMP: (5912): entrance, node-1224389198 = IKE_MESG_FROM_PEER, IKE_QM_EXCH
234372: * 3 Feb 18:53:39: ISAKMP: (5912): former State = new State IKE_QM_R_QM2 = IKE_QM_PHASE2_COMPLETE
234373: * 3 Feb 18:53:39: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
234374: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP
234375: * 3 Feb 18:53:39: IPSEC (key_engine_enable_outbound): select SA with spinnaker 76915901/50
234376: * 3 Feb 18:53:40: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234377: * 3 Feb 18:53:42: IPSEC (epa_des_crypt): decrypted packet has no control of her identity
routerindc #.
234378: * 3 Feb 18:53:44: IPSEC (epa_des_crypt): decrypted packet has no control of her identity

Also when I connect with the phone, I see HIS Active and IPsec tunnel is mounted, but the wire of time tunnel is down and phone connects.

I hope that you will help me. Thank you.

Hi dvecherkin1,

Who IOS you're running, you could hit the next default.

https://Tools.Cisco.com/bugsearch/bug/CSCsg34166/?reffering_site=dumpcr

It may be useful

-Randy-

Evaluate the ticket to help others find the answer quickly.

RVS4000 L2TP IPSec

Similar Questions

Maybe you are looking for