Windows Error VPNC3005 "unauthorized tunneling protocol" L2TP/IPSec

I'm trying to implement a vpn L2TP/IPSec to a concentrator 3005. Everything seems to work (phase 1 completed, PHASE2 full, updated tunnel, the session began and the user is authenticated with the RADIUS) but then the tunnel fell with the message "unauthorized tunneling protocol. What causes this message?

At one point the tunnel remained upward and running, but later I tried again and it failed. I don't remember changing anything in the config right.

I read somewhere that I should turn on "L2TP over IPSEC" in the group but this disables the IPSEC option and it seems to me that I need IPSec for Cisco vpn clients that need to connect.

Any suggestions?

Change the base group to allow l2tp/ipsec; Check if l2tp is enabled at the global level.

Tags: Cisco Security

Similar Questions

default DNS does not not in l2tp/ipsec

Hi all

We have Setup l2tp on asa, everything works except the default domain that is not defined. This is necessary because all the links does not provide full dns:

It's cisco config:

IP mask 255.255.255.224 local pool ClientVPNAddressPool 172.16.31.1 - 172.16.31.32

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS-ESP-3DES-MD5 ikev1

card crypto PublicTESA_map 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

PublicTESA_map PublicTESA crypto map interface

internal DefaultRAGroup group strategy

attributes of Group Policy DefaultRAGroup

value of server DNS X.X.X.X Y.Y.Y.Y

Protocol-tunnel-VPN l2tp ipsec

value by default-field AAA. BBBBBBB

the address value ClientVPNAddressPool pools

It's windows ipconfig/all:

Useful PPP VPN from Cisco ASA :--> name of the connection

Sufijo DNS specific para the conexion. . :--> suffix DNS specific connections (in WHITE)

Descripción...: Cisco ASA VPN--> description

Dirección física... :--> physiqueet address

DHCP enable...: don't--> active dhcp

Automatica habilitada... config: if--> active auto config

172.16.31.1 (Preferido) IPv4 address... :--> IP address

Subred... mascara:--> netmask 255.255.255.255

Puerta of enlace... by default: 0.0.0.0--> default GW

Servidores DNS...: X.X.X.X--> dns servers

Y.Y.Y.Y

Sober NetBIOS TCP/IP...: enable--> net bios on tcp active

Thank you!

Hi Jose,

L2TP over IPsec will not be able to receive the DNS suffix.

This is a limitation of the PPP. More information:

http://cdetsweb-PRD.Cisco.com/apps/dumpcr?identifier=CSCse74376&parentprogram=QDDTS

Marcin

L2TP/IPSec connection failed for Windows 7 Ultimate for Windows Server R2 2012 with error 789.

For this preface, I use the server in a lab environment and trying to set up my own VPN L2TP/IPSec. I opened the UDP 500 and 1701 TCP ports on my router for the interface of the primary server where is the VPN. It is on a Comcast connection consumer where other applications such as Arma 3 servers dedicated and IIS have worked.
The RRAS role to run based on this tutorial: http://www.thomasmaurer.ch/2014/01/how-to-install-vpn-on-windows-server-2012-r2/ I have only strayed from it using DHCP forwarding instead of a static pool of IP as my router is running a DHCP server, and if I understand correctly, the router must give IP addresses of the internal IP pool which I use for everything else. I also use the PSK authentication rather than be based certificate. For the authentication of users I have MS-CHAP-V2 and CHAP enabled; I connect from the remote device with an account on that I created on the server for the purpose of this VPN I know RRAS connections are allowed.

When the connection I get error 789: L2TP connection attempt failed because the security layer detected a processing error during initial negotiations with the remote computer. From what I've seen, this can be fixed by checking that the two ends of the connection are not behind a NAT (not an option), verification of the PSK (already done) and certificates (not applicable). If there is a way to solve this problem that would be great, but my server will always be behind a NAT firewall because the router is one, and the modem becomes one if several devices are connected to him without a router between the two.

This issue is beyond the scope of this site and must be placed on Technet or MSDN

http://social.technet.Microsoft.com/forums/en-us/home

http://social.msdn.Microsoft.com/forums/en-us/home

Windows L2TP/IPSec to ASA

Hello

I configured on ASA windows L2TP/Ipsec connections. Phase 1 and 2 are successful, the tunnel is created but immediately after this deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is by default not - limitation of windows). Here is my config:

attributes of Group Policy DfltGrpPolicy
value of 10.1.1.1 WINS server
value of server DNS 10.1.1.1
VPN-idle-timeout 300
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
the authentication of the user activation
allow to NEM
NAC-parameters DfltGrpPolicy-NAC-framework-create value
WebVPN
SVC keepalive no
client of dpd-interval SVC no
dpd-interval SVC bridge no
value of customization DfltCustomization

attributes global-tunnel-group DefaultRAGroup
asa-admins address pool
authentication-server-group CSACS
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Disable ISAKMP keepalive
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
eap-proxy authentication

Crypto-map dynamic outside_dyn_map 10 the value transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 MD5-ESP-3DES ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside

And here are some logs:

17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA proposal # 1, turn # 1 entry overall SA IPSec acceptable matches # 10

17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/4500
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: outgoing remote access to ITS (SPI = 0xAEA59455) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a msg KEY_ADD for SA: SPI = 0xaea59455
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-6-602303: IPSEC: incoming remote access to ITS (SPI = 0x9D3B8BDE) between the outside of the interface and 193.193.193.193 (user = DefaultRAGroup) was created.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, pitcher: received KEY_UPDATE, spi 0x9d3b8bde
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, timer to generate a new key to start P2: 3060 seconds.
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % 713120-5-ASA: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid = 00000001)
17 February 13:27:07 vpnasa1 February 17, 2010 13:27:07 vpnasa1: % ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193>mask <0xFFFFFFFF>port<4204>
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-7-710005: UDP request and eliminated from 193.193.193.193/4204 outside: outside-interface/1701
17 February 13:27:08 vpnasa1 February 17, 2010 13:27:08 vpnasa1: % ASA-6-302016: connection UDP disassembly 56281479 for outside:193.193.193.193/4204 of identity: outside-interface/1701 duration 0:01:07 431 bytes
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-302015: built connection UDP incoming 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to the identity: outside-interface/1701 (outside-interface/1701)
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603106: L2TP Tunnel created, tunnel_id 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id 1, client_dynamic_ip is 0.0.0.0 username is user1
17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50 remote_peer_ip = 193.193.193.193

17 February 13:27:10 vpnasa1 February 17, 2010 13:27:10 vpnasa1: % ASA-4-113019: Group = DefaultRAGroup, username =, IP = 193.193.193.193, disconnected Session. Session type: IPsecOverNatT, duration: 0 h: 00 m: 03 s, xmt bytes: 795 bytes RRs: 1204, reason: L2TP initiated

What's wrong?

Thanx

Please go ahead and activate the following command:

ISAKMP nat-traversal crypto

Try again.

RIP on l2tp ipsec tunnel asa5505

Hello

Trying to rip of installation on an l2tp (ipsec) tunnel.

In the other end I have a windows machine that using the rip listener.

Can not get to work.

If it works?

Some have ideas how I should do the config?

Niklas

Niklas,

I would look good a solution on the windows side.

Verification of some discussions, I can see that we can ship classless routes (249) using DHCP for windows clients:

http://support.Microsoft.com/kb/121005

The ASA will need "intercept-dhcp" configured to correctly this.

Or use pure IPsec client and ;-) split tunneling features

Marcin

Error 711 The Secure Socket Tunneling Protocol Service service on Local computer started and then stopped. ." Unable to connect to the Internet

Original title: I get error 711 when I try to connect to the internet via a UIM modem on my windows overpriced home 7 SP 1

Did some research and tried manually from the phone, RACM, RACM auto and plug and play services but got error 1068.Tried to start the service SSTP to solve this problem but got the error "the Service of Protocol Secure Socket Tunneling courier on Local computer started and then stopped. Some services stop automatically if they are not in use by other services or programs. »

I am so desperate and would appreciate helpful suggestions.

Hello

1. When was the last time it worked?

2 did you a recent software or changes to the material on the computer?

Method 1:

I suggest you to go through the steps mentioned in the link and the Coachman.

Windows wireless and wired network connection problems

http://Windows.Microsoft.com/en-us/Windows/help/wired-and-wireless-network-connection-problems-in-Windows

If the steps is not enough, go to method 2.

Method 2:

Ensure that all dependencies of Service Remote Access Connection Manager components are started and set to automatic

(a) (a) cliquer click on start-run, type services.msc, the, click OK.

(b) ensure that the following services are started on and set to automatic.

(c) make sure that the "Startup Type" says "automatic"and has begun.» If it isn't, use the drop down menu to change (under the general tab).

(d) if she once said: "Automatic", then click on the "Recovery" tab in the upper part and replace the line "First failure" "Restart the Service", then click on ""apply ', then OK. "

See also:

Why can't I connect to the Internet?

http://Windows.Microsoft.com/en-us/Windows7/why-can-t-I-connect-to-the-Internet

Hope this helps and keep us posted.

Error 1079: The account specified for this service is different from the account specified for other services running in the same process. When you attempt to start the Secure Socket Tunneling Protocol

I try to use my verizon air card, a PC770; VZ Access Manager version 7.2.7.1 recognizes the card very well, but whenever I try to "connect WWAN" I get the following message - "failed to connect - connection not available." Through the verizon forums, I trace this error to the 'Remote Access Connection eating' service that is not started. I try to start this service and receive error 1068: the dependency service or group could start. I have check the Dependencies tab and see Secure Socket Tunneling Protocol. When I go to this service, I see that it is not started, try to start this service result in error in my, title = error 1079.

I saw many others issues related to the error code 1079, but nothing that she wears on the SSTP service.

How can I fix it or what additional information is required to help diagnose? Regards, Paul

Bud13:
Dude... May want to lay off the crack for a while before this extreme paranoia Gets the best of you...

To the OP:

Just go to the properties of the service you are trying to start, then select "this account". Browse your computer and find the "Local Service" account Clear the password so that it is empty and apply. You will get a dialog box indicating that the account has been given to the connection as a good service. Then start your service. This should solve your problem. I have seen this question many times and there are many, many reasons why it could have happened, but there is nothing to worry.

Cisco 1841 ipsec tunnel protocol down after a minute

I have a strange problem where im manages to get a tha cisco ipsec tunnel 1841 to a RV016 linksys/cisco for about a minute and ping/encrypt the packets through the linen for about a minute before it breaks down. I tried different configuration and it all results in the tunnel for a minute then descend to come. I don't know if im hitting a bug and decide to if im doing something wrong.

any help is appreciated paul

RV016 firmware 2.0.18

Cisco 1841: C1841-ADVENTERPRISEK9-M), Version 12.4 (24) T

my config

no default isakmp crypto policy

!

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto key address 0.0.0.0 eaton1234 0.0.0.0

!

!

Crypto ipsec transform-set esp-3des esp-sha-hmac ESSTS

transport mode

no default crypto ipsec transform-set

!

Crypto ipsec profile ipsec_profile1

Description in the location main site to site VPN tunnel

game of transformation-ESSTS

PFS group2 Set

!

!

!

!

!

!

!

Tunnel1 interface

Description of the location of the hand

IP unnumbered Serial0/0/0

source of tunnel Serial0/0/0

destination 209.213.x.x tunnel

ipv4 ipsec tunnel mode

tunnel path-mtu-discovery

protection of ipsec profile ipsec_profile1 tunnel

!

a debug output

Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 the proposal

Apr 24 16:42:07: IPSEC (validate_proposal_request): part #1 of the proposal

(Eng. msg key.) Local INCOMING = 209.213.xx.46, distance = 209.213.xx.164,.

local_proxy = 10.20.86.0/255.255.255.0/0/0 (type = 4),

remote_proxy = 10.0.0.0/255.255.255.0/0/0 (type = 4),

Protocol = ESP, transform = NONE (Tunnel),

lifedur = 0 and 0kb in

SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

Apr 24 16:42:07: mapdb Crypto: proxy_match

ADR SRC: 10.20.86.0

ADR DST: 10.0.0.0

Protocol: 0

SRC port: 0

DST port: 0

Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

Apr 24 16:42:07: mapdb Crypto: proxy_match

ADR SRC: 10.20.86.0

ADR DST: 10.0.0.0

Protocol: 0

SRC port: 0

DST port: 0

Apr 24 16:42:07: IPSEC (policy_db_add_ident): src dest 10.0.0.0, 10.20.86.0, dest_port

0

Apr 24 16:42:07: IPSEC (create_sa): its created.

(his) sa_dest = 209.213.xx.46, sa_proto = 50,.

sa_spi = 0x4CF51011 (1291128849).

sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2045

sa_lifetime(k/sec) = (4463729/3600)

Apr 24 16:42:07: IPSEC (create_sa): its created.

(his) sa_dest = 209.213.xx.164, sa_proto = 50,.

sa_spi = 0x1EB77DAF (515341743).

sa_trans = sa_conn_id of hmac-sha-esp, esp-3des = 2046

sa_lifetime(k/sec) = (4463729/3600)

Apr 24 16:42:07: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

you to

Apr 24 16:42:07: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)

Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): rec would notify of ISAKMP

Apr 24 16:42:07: IPSEC (key_engine_enable_outbound): select SA with spinnaker 515341743/50

Apr 24 16:42:07: IPSEC (update_current_outbound_sa): update peer 209.213.xx.164 curre

NT his outgoing to SPI 1EB77DAF

Apr 24 16:42:12: IPSEC (key_engine): request timer shot: count = 1,.

local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

Apr 24 16:42:12: IPSEC (sa_request):,.

(Eng. msg key.) Local OUTGOING = 209.213.xx.46, distance = 209.213.xx.164,.

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

Protocol = ESP, transform = esp-3des esp-sha-hmac (Tunnel),

lifedur = 3600 s and KB 4608000,

SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

Apr 24 16:42:42: IPSEC (key_engine): request timer shot: count = 2,.

local (identity) = 209.213.xx.46, distance = 209.213.xx.164,

local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

remote_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4)

Apr 24 16:42:42: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, sta changed

you all the downu

All possible debugging has been disabled

I would try to set up a VPN Interface virtual Tunnel on the IOS router base and the value of defined transformation in tunnel mode no transport.

In history, I have had several issues with VPN between a router IOS and the series RV.

RVS4000 L2TP IPSec

Trying to establish a L2TP IPSec VPN tunnels between remote Windows XP and Windows 2003 RRAS server customer.

XP remote client and the RRAS W2003 server are behind routers RVS4000.

Have established that the RRAS W2003 server will accept connections L2TP IPSec clients behind the router Cisco RVS4000 [LAN clients].

Could not establish remote through the RVS4000 router L2TP IPSec connections. Have established that PPTP VPN RVS4000 router. Both routers are running the version 1.3.0.5

Both routers 4000 RVs are configured for PPTP, IPSec, and L2TP VPN passthrough with the port UDP 1701 transferred to the RRAS server by the

RVS router 4000. VPN PPTP connections have no problems.

Error code is 792

The problem seems to be with IPSec passthrough. The port UDP 1701 is sent to the RRAS server. Unable to create port rules for IKE 500 or IP protocol 50/4500 on the RVS4000 because these policies collide with transmission UDP1701.

No indication about why the IPSec fails with the RVS4000 for remote access clients, but IPSec has managed to connect to the RRAS server using LAN clients.

1. never transfer the port UDP 1701. The port UDP 1701 is used for L2TP. However, L2TP is supposed to be in the tunnel within an IPSec tunnel. Exposing a L2TP server directly to the internet can be a security risk. Don't, don't.

2. what you must have to pass, this is port UDP 500 for IKE (establishing the IPSec connection) and possibly port TCP/UDP 4500 for NAT traversal for IPSec. There should be no conflict. If there is, I guess it's because the RVS4000 has its own implementation of IPSec.

3 LAN works because there's NAT involved and therefore there is no need of NAT traversal, port forwarding or something similar.

L2TP/IPSEC: IOS <>- Android

Hello

is there a working solution L2TP/IPSEC VPN between Cisco IOS and Android 2.1?

I'm trying to get my mobile online, but the connection is complete after 10 sek.

Any tips?

Harald

My IOS config:

VPDN enable
!
VPDN-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
no authentication of l2tp tunnel
!

username privilege 15 secret password user

door-key crypto l2tpvpn
pre-shared key address 0.0.0.0 0.0.0.0 test key
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600

test key crypto isakmp 0.0.0.0 address 0.0.0.0

Crypto ipsec transform-set esp-3des esp-sha-hmac L2TP-TS
!
Dynvpn crypto dynamic-map 1
Set nat demux
game of transformation-L2TP-TS

map CRYPTOMAP 20-isakmp ipsec crypto dynamic dynvpn

interface virtual-Template1
IP unnumbered Ethernet0
the peer default VPN ip address pool
KeepAlive 5
PPP authentication ms-chap-v2

interface BVI1
IP address 212.xxx.xxx.xxx 255.255.255.0
NAT outside IP
IP virtual-reassembly
by default auto-configured IPv6 address
enable IPv6
card crypto CRYPTOMAP
!
local pool IP VPN 172.17.0.1 172.17.0.10

Some debugs:

IOS #.
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.800 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.804 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul 2 16:00:01.808 it IS: ISAKMP:(0:13:HW:2): politics of ITS phase 2 is not acceptable! (local 212.xxx.xxx.xxx remote 80.xxx.xxx.xxx)
Jul 2 16:00:01.816 it IS: ISAKMP: (0:13:HW:2): node-1463956874 error suppression REAL reason "QM rejected."
Jul 2 16:00:01.816 it IS: ISAKMP (0:268435469): unknown entry IKE_MESG_FROM_PEER, IKE_QM_EXCH: node-1463956874: State = IKE_QM_R EADY
Jul 2 16:00:01.820 it IS: % CRYPTO-6-IKMP_MODE_FAILURE: fast processing mode failed with the peer to 80.xxx.xxx.xxx

IOS #.
Jul 2 16:00:32.695 it IS: L2X: Parse AVP flag 0, len 8, 0 x 8000 (M)
16:00:32.695 2 Jul CEST: L2X: Parse SCCRQ
Jul 2 16:00:32.695 it IS: L2X: Parse AVP 2 flag, len 8, 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: Protocol Version 1
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 7, len 15, flag 0 x 8000 (M)
Jul 2 16:00:32.699 it IS: L2X: anonymous host name
Jul 2 16:00:32.699 it IS: L2X: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.699 2 Jul CEST: L2X: framing course 0 x 3
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 9 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Tunnel ID 3545 assigned
Jul 2 16:00:32.703 it IS: L2X: Parse AVP 10 flag, len 8, 0 x 8000 (M)
16:00:32.703 2 Jul CEST: L2X: Rx 1 window size
Jul 2 16:00:32.703 it IS: L2X: no missing AVPs in SCCRQ
Jul 2 16:00:32.703 it IS: L2X: I SCCRQ, flg TLS, worm 2, len 69, NL 0 ns 0, nr 0
contiguous Pak, size 69
C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00
00 00 00 01 80 08 00 00 00 02 01 00 80 00 00 0F
00-07-61 6TH 6TH 6F 6F 79 6 75 73 80 0 A 00 00 00
03 00 00 00 03 80 08 00 00 00 09 0D 80 08 00 D9
00 00 0 A 00 01
Jul 2 16:00:32.707 it IS: L2TP: I LNP SCCRQ anonymous 3545
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: authorization of Tunnel began to host anonymous
Jul 2 16:00:32.711 it IS: LNP 55994 L2TP: new tunnel created for remote anonymous, address 80.xxx.xxx.xxx
Jul 2 16:00:32.715 it IS: L2X: response to author Tunnel L2X info not found
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: O SCCRP anonymous 3545 tnlid
Jul 2 16:00:32.715 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.715 2 Jul CEST: LNP 55994 L2TP: Parse SCCRP
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 2, len 8, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Protocol Version 1
Jul 2 16:00:32.719 it IS: L2TP 55994 LNP: Parse AVP 6 flag, len 8, 0 x 0
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Firmware Ver 0 x 1120
Jul 2 16:00:32.719 it IS: LNP 55994 L2TP: Parse AVP 7, len 9, flag 0 x 8000 (M)
16:00:32.719 2 Jul CEST: LNP 55994 L2TP: Hostname IOS
Jul 2 16:00:32.723 it IS: L2TP 55994 LNP: flag of Parse AVP 8, len 25, 0 x 0
16:00:32.723 2 Jul CEST: LNP 55994 L2TP: name provider Cisco Systems, Inc.
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 10, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: Rx 300 window size
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: assigned Tunnel ID 55994
Jul 2 16:00:32.727 it IS: LNP 55994 L2TP: Parse AVP 3, len 10, flag 0 x 8000 (M)
16:00:32.727 2 Jul CEST: LNP 55994 L2TP: framing course 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: Parse AVP 4, len 10, flag 0 x 8000 (M)
16:00:32.731 2 Jul CEST: LNP 55994 L2TP: bearer Cap 0 x 0
Jul 2 16:00:32.731 it IS: LNP 55994 L2TP: O SCCRP, flg TLS, worm 2, len 106, LNP 3545, ns 0 nr 1
C8 02 00 6A 00 00 00 00 00 01 80 08 00 00 D9 0D
00 00 00 02 80 08 00 00 00 02 01 00 00 08 00 00
00 06 11 20 80 09 00 00 00 07 49 53 00 19 00 4F
00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6 D 73
2 20 49 6 2 63 80...
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:32.735 it IS: LNP 55994 L2TP: Tunnel of status change from idle to wait-ctl-reply
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:32.887 2 Jul CEST: LNP 55994 L2TP: Parse SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: no missing AVPs in SCCCN
Jul 2 16:00:32.887 it IS: LNP 55994 L2TP: I SCCCN, flg TLS, worm 2, len 20, LNP 55994 ns 1, n ° 1
contiguous Pak, size 20
C8 02 00 14 DA 00 00 00 01 00 01 80 08 00 00 BA
00 00 00 03
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 1, n ° 2
C8 02 00 00 00 00 01 00 02 D9 0D 0C
Jul 2 16:00:32.891 it IS: LNP 55994 L2TP: I LNP SCCCN anonymous 3545
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: Tunnel of change of State of wait-ctl-reply to set up
Jul 2 16:00:32.895 it IS: LNP 55994 L2TP: SM established State
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: Parse ICRQ
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: assigned Call ID 43765
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: Parse AVP 15, len 10, flag 0 x 8000 (M)
16:00:33.091 2 Jul CEST: LNP 55994 L2TP: serial number 1986235932
Jul 2 16:00:33.091 it IS: LNP 55994 L2TP: no missing AVPs in ICRQ
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I ICRQ, flg TLS, worm 2, len 38, LNP 55994 ns 2, n ° 1
contiguous Pak, size 38
C8 02 00 26 DA 00 00 00 02 00 01 80 08 00 00 BA
00 00 00 0 A 80 08 00 00 00 0E AA 80 0 A 00 00 F5
0F 00 76 63 8F 1 C
Jul 2 16:00:33.095 it IS: LNP 55994 L2TP: I LNP ICRQ anonymous 3545
Jul 2 16:00:33.099 it IS: nl/Sn 55994/18 L2TP: change of State of Session idle for wait-connect
Jul 2 16:00:33.099 it IS: L2TP 55994/18 LNP/Sn: accepted ICRQ, new session created
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ICRP to anonymous 3545/43765
Jul 2 16:00:33.099 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse IPRC
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 14, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: call ID assigned 18
Jul 2 16:00:33.103 THATS: uid:25 LNP/Sn 55994/18 L2TP: O IPRC, flg TLS, len 28, LNP 3545, lsid 18, rsid 43765, worm 2, ns 1, no. 3
C8 02 00 1 C F5 00 01 00 03 80 08 00 00 AA D9 0D
00 00 00 0 B 80 08 00 00 00 0E 00 12
Jul 2 16:00:33.107 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse ICCN
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 24, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: connect speed 100000000
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: Parse AVP 19, len 10, flag 0 x 8000 (M)
Jul 2 16:00:33.259 THATS: uid:25 LNP/Sn 55994/18 L2TP: framing Type 3
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: no missing AVPs to ICCN
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: I ICCN, flg TLS, worm 2, len 40, LNP 55994, 18, rsid 43765 lsid, ns 3, n ° 2
contiguous Pak, size 40
C8 02 00 28 DA 00 12 00 03 00 02 80 08 00 00 BA
00 00 00 0 C 80 0 A 00 00 00 18 05 F5 E1 00 0 A 80
00 00 00 13 00 00 00 03
Jul 2 16:00:33.263 THATS: uid:25 LNP/Sn 55994/18 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, 18, rsid 43765 lsid, ns 2, nr 4
C8 02 00 00 00 00 02 00 04 D9 0D 0C
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: I have anonymous LNP 3545 ICCN, cl 43765
Jul 2 16:00:33.267 THATS: uid:25 LNP/Sn 55994/18 L2TP: change of State of waiting Session - connect to wait-for-service-selection-iccn
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.275 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending send 0xFFFFFFFF ACCM and receive ACCM 0xFFFFFFFF
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:33.275 2 Jul CEST: LNP 55994 L2TP: Parse SLI
Jul 2 16:00:33.275 it IS: LNP 55994 L2TP: Parse AVP 35, len 16, flag 0 x 8000 (M)
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 2 nr 4
C8 02 00 24 AA D9 00 02 00 04 80 08 00 00 0D F5
00 00 00 10 80 10 00 00 00 23 00 00 FF FF FF FF
FF FF FF FF
Jul 2 16:00:33.279 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds
Jul 2 16:00:33.283 THATS: ppp25 PPP: send a Message [dynamic Bind response]
Jul 2 16:00:33.283 THATS: ppp25 PPP: via vpn, set the direction of the call
Jul 2 16:00:33.283 THATS: ppp25 PPP: treatment of connection as a callin
Jul 2 16:00:33.283 THATS: ppp25 PPP: id of Session Session handle [A300003D] [25]
Jul 2 16:00:33.283 THATS: ppp25 PPP: Phase is ESTABLISHING, Passive open
Jul 2 EST 16:00:33.283: ppp25 TPIF: State is listening
Jul 2 EST 16:00:33.475: ppp25 TPIF: I CONFREQ [listen] id 1 len 24
Jul 2 EST 16:00:33.475: ppp25 TPIF: MRU 1400 (0 x 01040578)
Jul 2 EST 16:00:33.479: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.479: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.479: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.479: ppp25 TPIF: RAC (0 x 0802)
Jul 2 16:00:33.479 THATS: ppp25 PPP: required authorization
Jul 2 EST 16:00:33.479: ppp25 TPIF: O CONFREQ [listen] id 1 len 25
Jul 2 EST 16:00:33.483: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.483: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.483: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.483: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.483: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.483: ppp25 TPIF: O CONFNAK [listen] id 1 len 8
Jul 2 EST 16:00:33.487: ppp25 TPIF: MRU 1500 (0x010405DC)
Jul 2 EST 16:00:33.635: ppp25 TPIF: I CONFACK [REQsent] id 1 len 25
Jul 2 EST 16:00:33.635: ppp25 TPIF: ACCM 0x000A0000 (0x0206000A0000)
Jul 2 EST 16:00:33.639: ppp25 TPIF: AuthProto MS-CHAP-V2 (0x0305C22381)
Jul 2 EST 16:00:33.639: ppp25 TPIF: MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul 2 EST 16:00:33.639: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.639: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.647: ppp25 TPIF: I CONFREQ [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.647: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.647: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.647: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.647: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: O CONFACK [ACKrcvd] id 2 len 20
Jul 2 EST 16:00:33.651: ppp25 TPIF: ACCM 0x00000000 (0 x 020600000000)
Jul 2 EST 16:00:33.651: ppp25 TPIF: MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul 2 EST 16:00:33.651: ppp25 TPIF: PFC (0 x 0702)
Jul 2 EST 16:00:33.651: ppp25 TPIF: RAC (0 x 0802)
Jul 2 EST 16:00:33.651: ppp25 TPIF: State is open
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul 2 16:00:33.655 THATS: uid:25 LNP/Sn 55994/18 L2TP: sending sending ACCM 0x00000000 and receive ACCM 0x000A0000
Jul 2 16:00:33.655 THATS: ppp25 PPP: Phase is AUTHENTICATING,
Jul 2 16:00:33.659 THATS: ppp25 MS-CHAP-V2: O CHALLENGE id 1 len 24 'IOS '.
Jul 2 16:00:33.847 THATS: ppp25 MS-CHAP-V2: I ANSWER id 1 len 59 of 'user '.
Jul 2 16:00:33.847 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.851 THATS: ppp25 PPP: Phase is AUTHENTICATING, unauthenticated user
Jul 2 16:00:33.851 THATS: ppp25 PPP: request sent MSCHAP_V2 LOGIN
Jul 2 16:00:33.891 THATS: ppp25 PPP: received LOGIN response PASS
Jul 2 16:00:33.891 THATS: ppp25 PPP: Phase TRANSFER, tempting with impatience
Jul 2 16:00:33.891 THATS: ppp25 PPP: send a Message [Local connection]
Jul 2 16:00:33.899 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: virtual interface created for the unknown, bandwidth 100000 Kbps
Jul 2 16:00:33.899 THATS: ppp25 PPP: link [Virtual - Access3.1]
2 Jul EST 16:00:33.903: Vi3.1 PPP: Send Message [static response Bind]
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session waiting-for-service-selection-iccn Workbench
Jul 2 16:00:33.903 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: VPDN session upwards
Jul 2 16:00:33.907 THATS: Vi3.1 PPP: Phase is AUTHENTICATING, authenticated user
2 Jul EST 16:00:33.911: Vi3.1 PPP: LCP AUTHOR asked
2 Jul EST 16:00:33.911: Vi3.1 PPP: sent CPIW AUTHOR request
2 Jul EST 16:00:33.911: Vi3.1 TPIF: received AAA AUTHOR response PASS
2 Jul EST 16:00:33.915: Vi3.1 IPCP: received AAA AUTHOR response PASS
Jul 2 16:00:33.915 THATS: Vi3.1 MS-CHAP-V2: SUCCESS O id 1 len 46 msg is "S = D216E8EA91BF8126B5CF3D0CAA7AFF2B580216AA".
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: Phase is in PLACE
Jul 2 16:00:33.919 THATS: Vi3.1 CPIW: O CONFREQ [Closed] id 1 len 10
2 Jul EST 16:00:33.919: Vi3.1 CPIW: address 192.168.0.254 (0x0306AC1000FE)
Jul 2 16:00:33.919 THATS: Vi3.1 PPP: process pending ncp packets
Jul 2 16:00:34.067 THATS: Vi3.1 CCP: I CONFREQ [not negotiated] id 1 len 15
2 Jul EST 16:00:34.067: Vi3.1 CCP: deflate 0 x 7800 (0x1A047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: MVRMA 0 x 7800 (0 x 18047800)
2 Jul EST 16:00:34.067: Vi3.1 CCP: BSDLZW 47 (0x15032F)
Jul 2 EST 16:00:34.071: Vi3.1 TPIF: Protocol of 21 O PROTREJ [open] id len 2 CCP
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x80FD0101000F1A047800180478001503)
2 Jul EST 16:00:34.071: Vi3.1 TPIF: (0x2F)
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: I CONFREQ [REQsent] id 1 len 28
Jul 2 16:00:34.071 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.075: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.075: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: start. We want his address 0.0.0.0 0.0.0.0
2 Jul EST 16:00:34.075: Vi3.1 AAA/AUTHOR/CPIW: fact. We want his address 0.0.0.0 0.0.0.0
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: pool returned 172.17.0.1
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: O CONFREJ [REQsent] id 1 len 10
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
Jul 2 16:00:34.079 THATS: Vi3.1 CPIW: I CONFACK [REQsent] id 1 len 10
2 Jul EST 16:00:34.079: Vi3.1 CPIW: address 172.16.0.254 (0x0306AC1000FE)
Jul 2 16:00:34.283 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.283: Vi3.1 CPIW: address 0.0.0.0 (0 x 030600000000)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 0.0.0.0 (0 x 810600000000)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 0.0.0.0 (0 x 830600000000)
Jul 2 16:00:34.287 THATS: Vi3.1 CPIW: O CONFNAK [ACKrcvd] id 2 len 22
2 Jul EST 16:00:34.287: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.287: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.287: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.291 it IS: LNP 55994 L2TP: 3 added to resendQ, updated nr 4 and sent through peer review
Jul 2 16:00:34.295 it IS: LNP 55994 L2TP: O SLI, flg TLS, worm 2, len 36, LNP 3545, ns 3 nr 4
C8 02 00 24 0D AA 00 03 00 04 80 08 00 00 F5 D9
00 00 00 10 80 10 00 00 00 23 00 00 00 00 00 00
0 A 00 00 00
Jul 2 16:00:34.447 THATS: Vi3.1 CPIW: I CONFREQ [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.447: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.447: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: O CONFACK [ACKrcvd] id 3 len 22
2 Jul EST 16:00:34.451: Vi3.1 CPIW: address of 172.17.0.1 (0x0306AC110001)
2 Jul EST 16:00:34.451: Vi3.1 IPCP: PrimaryDNS 1.1.1.1 (0x8106D918C242)
2 Jul EST 16:00:34.451: Vi3.1 CPIW: SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul 2 16:00:34.451 THATS: Vi3.1 CPIW: State is open
Jul 2 16:00:34.459 THATS: Vi3.1 CPIW: install road to 172.17.0.1
Jul 2 16:00:35.303 it IS: LNP 55994 L2TP: setting channel delay retransmission positioned in 1 seconds

IOS #ping 172.17.0.1

Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 172.17.0.1, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 156/160/172 ms
IOS #.

Jul 2 EST 16:00:45.547: Vi3.1 TPIF: I TERMREQ [open] id 3 len 16 (0 x 557365722072657175657374)
Jul 2 EST 16:00:45.547: Vi3.1 TPIF: O TERMACK [open] id 3 len 4
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: sending Acct event [low] id [F0D]
Jul 2 16:00:45.547 THATS: Vi3.1 PPP: Phase ENDS
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: AVP Parse 0, len 8, flag 0 x 8000 (M)
16:00:45.955 2 Jul CEST: LNP 55994 L2TP: Parse StopCCN
Jul 2 16:00:45.955 it IS: LNP 55994 L2TP: Parse AVP 9, len 8, flag 0 x 8000 (M)
16:00:45.959 2 Jul CEST: LNP 55994 L2TP: Tunnel ID 3545 assigned
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: Parse AVP 1, len 8, flag 0 x 8000 (M)
Jul 2 16:00:45.959 it IS: L2X: lead (6): 6: applicant is either stopped
Jul 2 16:00:45.959 it IS: code (0) error: no error
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: no missing AVPs in StopCCN
Jul 2 16:00:45.959 it IS: LNP 55994 L2TP: I StopCCN, flg TLS, worm 2, len 36, LNP 55994 ns 4, no. 4
contiguous Pak, size 36
C8 02 00 24 DA 00 00 00 04 00 04 80 08 00 00 BA
00 00 00 04 80 08 00 00 00 09 0D 80 08 00 00 D9
00 01 00 06
Jul 2 16:00:45.963 it IS: LNP 55994 L2TP: O ZPL ctrl ack, flg TLS, worm 2, len 12, LNP 3545, ns 4, no. 5
C8 02 00 00 00 00 04 00 05 D9 0D 0C
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: I LNP StopCCN anonymous 3545
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: changing the status of the Tunnel created for withdrawal
Jul 2 16:00:45.967 it IS: LNP 55994 L2TP: tunnel of Shutdown
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: disconnect (L2X) IETF: 9/Ascend nas-error: 65/VPDN Tunnel down / installation fails
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: destruction of session
Jul 2 16:00:45.967 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: change of State of Session bench in slow motion
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: judgment of accounting sent
Jul 2 16:00:45.971 THATS: Vi3.1 LNP/Sn 55994/18 L2TP: session without commitment of the IDB
Jul 2 16:00:45.971 THATS: Vi3.1 VPDN: interface reset
Jul 2 16:00:45.975 THATS: Vi3.1 PPP: block vaccess to be released [0 x 19]
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: Tunnel State closing down all by destroying the session
Jul 2 16:00:45.975 it IS: LNP 55994 L2TP: changing the State of closing down to the idle-Tunnel
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: link broken down notification
Jul 2 EST 16:00:46.179: Vi3.1 TPIF: State is closed
Jul 2 16:00:46.179 THATS: Vi3.1 PPP: Phase is BROKEN
Jul 2 16:00:46.179 THATS: Vi3.1 CPIW: State is closed
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by 0 x [1] always locked by 0 x [18]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x10] always locked by [0 x 8]
2 Jul EST 16:00:46.183: Vi3.1 PPP: Send Message [logout]
2 Jul EST 16:00:46.183: Vi3.1 PPP: unlocked by [0x8] always locked by 0 x [0]
Jul 2 16:00:46.183 THATS: Vi3.1 PPP: free previously blocked vaccess
Jul 2 16:00:46.187 THATS: Vi3.1 CPIW: Remove the road to 172.17.0.1

Harold,

I need of debugs more to be sure, but it seems that the quick mode ipsec fails (phase 2). Try changing your transformation set to use "transport mode", because I believe that required for l2tp/ipsec.

If it does not, it should be him debugs full for "debug crypto isakmp" and "debug crypto ipsec".

-Jason

Chrombook L2TP/IPSec for ASA 5510

Hello

I have trouble getting a chromebook to establish a remote access connection VPN using L2TP/IPsec for a Cisco ASA 5510 12 7.2 (5) running.

Run a debug crypto isakmp 5 I see the following logs (ip changed...)

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable

Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 4

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, connection landed on tunnel_group DefaultRAGroup

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, previously allocated memory of liberation for permission-dn-attributes

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

06 jan 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED

Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, timer to generate a new key to start P1: 8100 seconds.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID remote Proxy Host: address 3.3.3.3, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, data received in payload ID local Proxy Host: address 2.2.2.2, 17 of the Protocol, Port 1701

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, detected L2TP/IPSec session.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed its not found old addr

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto, check card = outside_map, seq = 1...

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, static checking Card Crypto Card = outside_map, seq = 1, ACL does not proxy IDs src:1.1.1.1 dst: 2.2.2.2

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, remote peer IKE configured crypto card: outside_dyn_map0

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, ITS processing IPSec payload

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, proposals of any IPSec security association has deemed unacceptable.

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, error QM WSF (P2 struct & 0x3d48800, mess id 0xce12c3dc).

Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, history of mistake IKE responder QM WSF (struct & 0x3d48800) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH

Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, removing counterpart table correlator failed, no match!

1.1.1.1 = address remote chromebook NAT

2.2.2.2 = ASA 5510 acting as distance termintaion access point

3.3.3.3 = Chromebook private address

I noticed that the Chromebook is appearing as the ID of the remote proxy but later, he seeks the applied to the Chromebook NAT address. Not sure if this is the cause or how to solve this problem, if it is.

Can someone advise please

Thank you

Ryan

7.2 is old code. You can re - test with 9.0.x or 9.1.x.

https://support.Google.com/Chromebook/answer/1282338?hl=en

Microsoft l2tp IPSec VPN site to site ASA on top

I have a specialized applications casino that requires end-to-end encryption. I'm under the stack of Microsoft IPSec l2tp between my XP machine and my Windows 2003 server on the LAN. Can I use the same type of protocol stack Microsoft l2tp IPSec between my XP machine and the Windows Server 2003 a branch on the SAA to site to site ASA VPN tunnel? The VPN site-to site ASA is a type of key Preshare IPSec VPN tunnelle traffic between our head office and a branch in distance.

In other words, the ASA site-to-site IPSec VPN will allow Microsoft l2tp through IPSec encrypted traffic? My ACL tunnel would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

IP TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0 allow Access-list extended nat_zero

Hello

Yes, the L2TP can be encapsulated in IPSEC as all other traffic.

However, make sure that no NAT is performed on each end. L2TP is a default header protection which will see NAT as a falsification of package and reject it.

See you soon,.

Daniel

L2TP/IPSec and VRRP on Cisco VPN3000

Hello. I don't know if this is the right forum, please excuse me if this is not (of course a pointer to the right we'd appreciate it :)

I'm experimenting with the implementation of VPN 3000 Concentrator series VRRP, and it seems that when the unit of "backup" takes over, no L2TP/IPsec tunnel can be established more.

When the switch takes place, the backup device takes over VRRP group IP addresses, which are the IP address of the master own as well on VPN 3000. Thus, the backup unit manages two different IP addresses, its own ad group.

Well, what I observed using a sniffer is that while the IKE/IPSec packets come well to the group address, L2TP packets are by IP address of the backup device physical and clear instead of be encapsulated in IPSec travel packages. The client computer (PC Windows 2000) clearly ignores the L2TP packets and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, however.

The foregoing does not occur when the VPN 3000 master works, like the VRRP group addresses are the same as its own interface addresses.

Now, VPN 3000 documentation or TAC documents explicitly say that L2TP/IPSec and VRRP are incompatible, but they do not mention compatibility as well (although they do mention the VRRP Protocol PPTP compatibility).

Did someone better informed than me? Is there a technical reason for the incompatibility between L2TP with VRRP, or it's a bug any?

Thank you

Roberto Patriarca

This has proved quite recently and a high severity bug has been open about it and is currently under review.

See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for more details.

Nice work well in the survey.

L2TP/ipsec passthrough firewall of cisco router

Hello! I have the following problem.

External network users wish to connect internal Windows to network and share resources 2012 (start the software, files, etc)

So it's time to deploy a vpn server and as I did not have a free license to run on my windows 2012, I decided to use my qnap for it (because it has this built-in feature) so I chose l2tp/ipsec and tested on the laboratory at home with simple tplink router with upnp function and it worked like a charm.

However, in the real production environment, I need to use the cisco router, and this is how the story begins ;)

Thus, clients with their machines say (7, 8.1, 10) must pass router cisco (with nat) firewall and access a vpn server and the internal network on qnap.

I googled for sample configuration, but most of them related to the configuration of the router as a vpn server, and I want to achieve is to make my pass router vpn traffic. Once I found the same sample of pptp config, I have modified it a bit, but do not know if it works because I have not yet tested.

In any case, could you check my config and see if it's ok? I'm doing a static nat for vpn 192.168.5.253 server to external address?

Also, here is a short pattern

vpn client VPN server (win 7,8,10)---routeur cisco 1921 - qnap)

xxx.194 cloud 5,254 5.253 (internal network)

test #show runn
Building configuration...

Current configuration: 3611 bytes
!
! Last modified at 19:31:01 UTC Wednesday, may 4, 2016 configuration by
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret $5
!
No aaa new-model
!
!
!
!
!
!
!
!
!
!
!
DHCP excluded-address IP 192.168.5.200 192.168.5.254
DHCP excluded-address IP 192.168.5.1 192.168.5.189
!
pool dhcp IP network
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
network domain name
xxx.x.xxx.244 DNS server
!
!
!
IP domain name temp
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
CTS verbose logging
!
!
license udi pid CISCO1921/K9 sn xxxxxx
licence start-up module c1900 technology-package securityk9
!
!
username secret abc 5
username privilege 15 7 cisco password
!
redundancy
!
!
!
!
!
property intellectual ssh version 2
!
type of class-card inspect entire game cm_helpdek_protocols
http protocol game
https protocol game
ssh protocol game
type of class-card inspect entire game cm_gre_protocols
Access-group name WILL
type of class-card inspect entire game cm_icmp
group-access icmp name game
type of class-card inspect the correspondence cm_helpdesk
match the name of group-access helpdesk
type of class-card inspect entire game inside_to_outside
h323 Protocol game
match Protocol pptp
ftp protocol game
tcp protocol match
udp Protocol game
match icmp Protocol
!
type of policy-card inspect pm_outside_to_inside
class type inspect cm_gre_protocols
Pass
class type inspect cm_icmp
inspect
class type inspect cm_helpdesk
inspect
class class by default
Drop newspaper
type of policy-card inspect pm_inside_to_outside
class type inspect inside_to_outside
inspect
class type inspect cm_gre_protocols
Pass
class class by default
Drop newspaper
!
area inside security
Description inside the zone of confidence
security of the outside area
Outside the untrusted area description
source of zonep_insiede_to_outside security pair area inside the destination outside
type of service-strategy inspect pm_inside_to_outside
source of zonep_outside_to_inside security zone-pair outside the destination inside
type of service-strategy inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description 'LAN '.
IP 192.168.5.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description "WAN CID: xxxxx".
IP address xxx.xxx.xxx.194 255.255.255.252
NAT outside IP
IP virtual-reassembly in
security of the outside Member area
automatic duplex
automatic speed
!
IP forward-Protocol ND
!
IP http server
local IP http authentication
no ip http secure server
!
IP nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
IP nat inside source list 1 pool overload the network
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
GRE extended IP access list
Note ACL to allow ACCORD of PPTP OUTBOUND
allow a gre
permit any any eq udp 1701
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
helpdesk extended IP access list
IP enable any host 192.168.5.253
icmp extended IP access list
allow icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control plan
!
!
!
Line con 0
local connection
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad telnet, rlogin xxxxx
StopBits 1
line vty 0 4
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
end

Kind regards

Andrew

Once the client has been connected to the VPN, you want traffic back to flow to the client. Which can be easily received with "inspect".

And from the point of view of the firewall, you do not have ESP-traffic (which would be the IP/50). You have only UDP traffic (initially UDP/500 which goes into UDP/4500)

And you are right with your last ACE. That of a lot to permissive and not necessary for this function.

Problem setting up vpn l2tp/ipsec

I tried to configure an ASA5505 with a l2tp/ipsec vpn which I can connect to with Windows Vista vpn client. I had connection problems. When I try to connect, watch windows vpn client tell an error message "error 789: the L2TP connection attempt failed because the security layer detected a processing error during initial negotiations with the remote computer." The newspaper on the SAA is errors saying "Phase 1 failure: incompatibility of the types of attributes of class Group Description: RRs would be: unknown Cfg was: Group 2.

It seems that the ASA does not like windows vpn client IKE proposal but I do not know if I interpret correctly this error message.

I was wondering if anyone has seen this problem or have had success with this type of installation. I have the setup of device OK so that I can connect with the Cisco VPN client, but get l2tp/ipsec Setup to work with the windows vpn client turns out to be problematic.

Can you post the Config of your ASA. Did you check the following link:

http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00807213a7.shtml

Windows Error VPNC3005 "unauthorized tunneling protocol" L2TP/IPSec

Similar Questions

Maybe you are looking for