cisco 1841 l2tp lns

S

secure.boy

Limp Gawd
Joined
Oct 22, 2007
Messages
474
i have problem with l2tp lns,
i tried different guides but no luck,
can some body help me
 
Detail overload. We could probably help more if you provided your config, or really any information.
 
Code: 
Router#sh runn
Building configuration...

Current configuration : 1494 bytes
!
! Last configuration change at 09:57:32 UTC Sun Nov 22 2009
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login LOCAL_DB local
!
!
!
!
!
aaa session-id common
!
!
!
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username test password 0 test
!
redundancy
!
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group HOME
 key test
 pool CLIENT_ADDRESSES
!
!
crypto ipsec transform-set TEST_SET esp-aes esp-sha-hmac
!
crypto dynamic-map CLIENT_MAP 1
 set transform-set TEST_SET
 reverse-route
!
!
crypto map TEST_VPN client authentication list LOCAL_DB
crypto map TEST_VPN isakmp authorization list LOCAL_DB
crypto map TEST_VPN client configuration address respond
crypto map TEST_VPN 100 ipsec-isakmp dynamic CLIENT_MAP
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.2.1 255.255.255.0
 duplex auto
 speed auto
 crypto map TEST_VPN
 !
!
interface FastEthernet0/1
 ip address 192.168.202.1 255.255.255.0
 duplex auto
 speed auto
 !
!
ip local pool CLIENT_ADDRESSES 172.30.50.10 172.30.50.20
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
ip route 0.0.0.0 0.0.0.0 192.168.2.254
!
!
!
!
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

Router#

Code: 
*Nov 22 10:11:58.679: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 19end      1
Router#debug crypto isakmp
Crypto ISAKMP debugging is on
Router#
*Nov 22 10:12:42.039: ISAKMP (0): received packet from 192.168.2.11 dport 500 sport 4392 Global (N) NEW SA
*Nov 22 10:12:42.039: ISAKMP: Created a peer struct for 192.168.2.11, peer port 4392
*Nov 22 10:12:42.039: ISAKMP: New peer created peer = 0x65B56D70 peer_handle = 0x80000006
*Nov 22 10:12:42.039: ISAKMP: Locking peer struct 0x65B56D70, refcount 1 for crypto_isakmp_process_block
*Nov 22 10:12:42.039: ISAKMP:(0):Setting client config settings 66087E84
*Nov 22 10:12:42.039: ISAKMP:(0):(Re)Setting client xauth list  and state
*Nov 22 10:12:42.039: ISAKMP/xauth: initializing AAA request
*Nov 22 10:12:42.043: ISAKMP: local port 500, remote port 4392
*Nov 22 10:12:42.043: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 67090EF8
*Nov 22 10:12:42.043: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 22 10:12:42.043: ISAKMP:(0): processing ID payload. message ID = 0
*Nov 22 10:12:42.043: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : test
        protocol     : 17
        port         : 500
        length       : 12
*Nov 22 10:12:42.043: ISAKMP:(0):: peer matches *none* of the profiles
*Nov 22 10:12:42.043: ISAKMP:(0): processing vendor id payload
*Nov 22 10:12:42.043: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
*Nov 22 10:12:42.043: ISAKMP:(0): vendor ID is XAUTH
*Nov 22 10:12:42.043: ISAKMP:(0): processing vendor id payload
*Nov 22 10:12:42.043: ISAKMP:(0): vendor ID is DPD
*Nov 22 10:12:42.043: ISAKMP:(0): processing vendor id payload
*Nov 22 10:12:42.043: ISAKMP:(0): vendor ID is Unity
*Nov 22 10:12:42.043: ISAKMP:(0): Authentication by xauth preshared
*Nov 22 10:12:42.043: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Nov 22 10:12:42.047: ISAKMP:      encryption AES-CBC
*Nov 22 10:12:42.047: ISAKMP:      hash SHA
*Nov 22 10:12:42.047: ISAKMP:      default group 2
*Nov 22 10:12:42.047: ISAKMP:      auth XAUTHInitPreShared
*Nov 22 10:12:42.047: ISAKMP:      life type in seconds
*Nov 22 10:12:42.047: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 22 10:12:42.047: ISAKMP:      keylength of 256
*Nov 22 10:12:42.047: ISAKMP:(0):Proposed key length does not match policy
*Nov 22 10:12:42.047: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 22 10:12:42.047: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Nov 22 10:12:42.047: ISAKMP:      encryption AES-CBC
*Nov 22 10:12:42.047: ISAKMP:      hash MD5
*Nov 22 10:12:42.047: ISAKMP:      default group 2
*Nov 22 10:12:42.047: ISAKMP:      auth XAUTHInitPreShared
*Nov 22 10:12:42.047: ISAKMP:      life type in seconds
*Nov 22 10:12:42.047: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 22 10:12:42.047: ISAKMP:      keylength of 256
*Nov 22 10:12:42.047: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 22 10:12:42.047: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 22 10:12:42.047: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Nov 22 10:12:42.047: ISAKMP:      encryption AES-CBC
*Nov 22 10:12:42.047: ISAKMP:      hash SHA
*Nov 22 10:12:42.047: ISAKMP:      default group 2
*Nov 22 10:12:42.047: ISAKMP:      auth pre-share
*Nov 22 10:12:42.047: ISAKMP:      life type in seconds
*Nov 22 10:12:42.047: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 22 10:12:42.047: ISAKMP:      keylength of 256
*Nov 22 10:12:42.047: ISAKMP:(0):Proposed key length does not match policy
*Nov 22 10:12:42.047: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 22 10:12:42.047: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Nov 22 10:12:42.047: ISAKMP:      encryption AES-CBC
*Nov 22 10:12:42.047: ISAKMP:      hash MD5
*Nov 22 10:12:42.047: ISAKMP:      default group 2
*Nov 22 10:12:42.047: ISAKMP:      auth pre-share
*Nov 22 10:12:42.047: ISAKMP:      life type in seconds
*Nov 22 10:12:42.047: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 22 10:12:42.047: ISAKMP:      keylength of 256
*Nov 22 10:12:42.047: ISAKMP:(0):Hash algorithm offered does not match policy!
*Nov 22 10:12:42.047: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Nov 22 10:12:42.047: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Nov 22 10:12:42.047: ISAKMP:      encryption AES-CBC
*Nov 22 10:12:42.047: ISAKMP:      hash SHA
*Nov 22 10:12:42.047: ISAKMP:      default group 2
*Nov 22 10:12:42.047: ISAKMP:      auth XAUTHInitPreShared
*Nov 22 10:12:42.047: ISAKMP:      life type in seconds
*Nov 22 10:12:42.047: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Nov 22 10:12:42.051: ISAKMP:      keylength of 128
*Nov 22 10:12:42.051: ISAKMP:(0):atts are acceptable. Next payload is 3
*Nov 22 10:12:42.051: ISAKMP:(0):Acceptable atts:actual life: 86400
*Nov 22 10:12:42.051: ISAKMP:(0):Acceptable atts:life: 0
*Nov 22 10:12:42.051: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 22 10:12:42.051: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Nov 22 10:12:42.051: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov 22 10:12:42.051: ISAKMP:(0)::Started lifetime timer: 86400.

*Nov 22 10:12:42.051: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 22 10:12:42.123: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 22 10:12:42.123: ISAKMP:(0):peer does not do paranoid keepalives.

*Nov 22 10:12:42.123: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 192.168.2.11)
*Nov 22 10:12:42.123: ISAKMP (0): Unknown Input IKE_MESG_FROM_PEER, IKE_AM_EXCH:  state = IKE_READY
*Nov 22 10:12:42.123: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Nov 22 10:12:42.123: ISAKMP:(0):Old State = IKE_READY  New State = IKE_READY

*Nov 22 10:12:42.123: ISAKMP:(0):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) AG_NO_STATE (peer 192.168.2.11)
*Nov 22 10:12:42.123: ISAKMP: Unlocking peer struct 0x65B56D70 for isadb_mark_sa_deleted(), count 0
*Nov 22 10:12:42.127: ISAKMP: Deleting peer node by peer_reap for 192.168.2.11: 65B56D70
*Nov 22 10:12:42.127: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Nov 22 10:12:42.127: ISAKMP:(0):Old State = IKE_READY  New State = IKE_DEST_SA

*Nov 22 10:12:47.171: ISAKMP (0): received packet from 192.168.2.11 dport 500 sport 4392 Global (R) MM_NO_STATE
*Nov 22 10:12:52.175: ISAKMP (0): received packet from 192.168.2.11 dport 500 sport 4392 Global (R) MM_NO_STATE
*Nov 22 10:12:57.171: ISAKMP (0): received packet from 192.168.2.11 dport 500 sport 4392 Global (R) MM_NO_STATE
*Nov 22 10:12:58.679: ISAKMP:(0):purging SA., sa=65B55E98, delme=65B55E98
*Nov 22 10:13:12.411: ISAKMP:(0):purging SA., sa=65C55A70, delme=65C55A70
Router#
 
Last edited:
Which client are you using?
This configuration would require the cisco vpn client or similar.

Also im guessing the IP's on the interfaces are not actual, or this is an internal test.. or you have some sort of NAT going on

*Nov 22 10:12:42.043: ISAKMP:(0):: peer matches *none* of the profiles

This is the key, basically you have nothing going on because its not matching anything

add in:

crypto isakmp key myawesomesecurekeyhere address 0.0.0.0 0.0.0.0

This will allow ANY connection to be accepted, not the best practice but if people are on the go and need to connect in, its just easier.

If your looking to make the router a PPTP vpn capable device... don't if you can help it.
Its just as easy to configure though.. but not recommended.



http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

This is where you should be looking.
 
i'm using cisco vpn client 5.0.03.0530
no nat, internal use; just to connect to the management vlan
 
You must log in or register to reply here.
Back
Top