1

I am connecting a remote ASA to a central site with the following settings:

Phase 1 IKE:
Encryption: DES
Authentication: MD5
DH: DH2

Phase 2:
Encryption: DES
Authentication: MD5

I was getting the following error Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping and Information Exchange processing failed.

I then i removed all references from my L2TP VPN policies and things started working - it seems I cant get L2TP and Lan-2-Lan VPN playing nice at the same time.

Now the Lan-2-Lan VPN is working, after I readded it L2TP no longer works (whereas before L2TP was working but lan2lan not working). I believe this has something to do with multiple IKE policies.

How can i get both Lan2Lan and L2TP (for Windows 7 and Mac clients) working at the same time?

Many Thanks.

My config is below:

names    
name 192.168.40.0 othersite 
!
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.30.0 255.255.255.0 othersite 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.30.192 255.255.255.192
access-list outside_1_cryptomap extended permit ip 192.168.30.0 255.255.255.0 othersite 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.30.0 255.255.255.0
access-list OUTSIDE_IN_ACL extended permit icmp any any echo-reply
ip local pool VPNLAN 192.168.30.210-192.168.30.240 mask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.30.0 255.255.255.0
nat (outside) 1 192.168.30.0 255.255.255.0
access-group OUTSIDE_IN_ACL in interface outside
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-3DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 95.97.2.218
crypto map outside_map 1 set transform-set ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.30.3
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
 address-pool VPNLAN
 default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
tunnel-group 45.27.21.7 type ipsec-l2l
tunnel-group 45.27.21.7 ipsec-attributes
 pre-shared-key *****
morleyc
  • 1,150
  • 13
  • 47
  • 89
  • your crypto isakmp stuff doesn't match your ipsec stuff? – SpacemanSpiff Jul 11 '12 at 13:59
  • yes correct, seems the L2TP connection wizard settings were not removed. Removed the L2TP remote access VPN settings and retrying. Thanks. – morleyc Jul 11 '12 at 14:42
  • I'm not sure it has to, but there did seem to be two proposals. phase 1 can be stricter than phase 2, or vice versa as long as they match. Still something isn't matching on the first try so I'd think you'd focus your config adjustments under isakmp first then move up to ipsec transforms if phase 2 negotation fails – SpacemanSpiff Jul 11 '12 at 15:03
  • @SpacemanSpiff actually this is something to do with multiple policies, before RAS VPN was working but site-to-site not working, i deleted one of the policies and now site-to-site works but not L2TP (even after readding). Have edited the question to explain. – morleyc Jul 11 '12 at 18:48
  • @g18c Can you clarify specifically what config lines you're adding when you add the L2TP config? – Shane Madden Jul 12 '12 at 06:21
  • @Shane this is done via the vpn wizard, which is adding `crypto isakmp policy 30` the other policy (10) was added for the l2l.wizard (which is working ok) – morleyc Jul 13 '12 at 19:40
  • @g18c Are you sure that's the only thing that it's running? A lower priority policy should be incapable of interfering. You can turn on command previewing in ASDM to verify. – Shane Madden Jul 13 '12 at 20:52
  • Hi all, i think this was a problem with Cisco VPN client being installed at the same time trying to use the Windows 7 native L2TP VPN connection. After i removed and used a transform set `esp-3des esp-sha-hmac` it now works. Thanks for the help, how to close this question out? – morleyc Jul 15 '12 at 20:22
  • To clarify, i removed the Cisco VPN client and then i tweaked the phase settings. Then it worked without any other major change. – morleyc Jul 15 '12 at 20:52

0 Answers0