Configuring a Cisco c881-k9 for L2TP VPN access
I have a Cisco c881-k9 on a test network. I'm trying to configure it to accept VPN L2TP client requests. I have basically followed this Cisco reference: https://community.cisco.com/t5/security-documents/l2tp-over-ipsec-on-cisco-ios-router-using-windows-8/ta-p/3142831. I'm a real novice at this.
On the same test network as this C881 router I have an older Windows 2003 server on which I have configured my L2TP client. VPN CLIENT Config Windows 2003 server When I try to access with this client I get an error. Error on server when trying to connect
Can anyone help me debug this situation, as mentioned above I'm a real novice? Below I have attached below in-line a sanitized version of my running config and a screen copy from the router of the debug output captured when I'm trying to connect. I could not figure out how to attach these as txt files. Thanks...RDK
======Running Config Office#show run Building configuration...
Current configuration : 2990 bytes
!
! Last configuration change at 05:34:38 UTC Mon Oct 29 2018 by xxxxxx
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Office
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$i8Ps$nMJJRG3821of8TROHoB48.
enable password 7 106306161612211F0314
!
aaa new-model
!
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
ip dhcp excluded-address 10.0.2.2 10.0.2.200
!
ip dhcp pool VLan2Pool
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 8.8.4.4
!
ip domain name me.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
license udi pid C881-K9 sn FGLxxxxxxxx
!
username VPNTest privilege 15 password 0 cisco
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface Loopback1
description loopback for IPsec-pool
ip address 192.168.151.11 255.255.255.255
!
interface FastEthernet0
switchport access vlan 2
no ip address
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
ip address 10.0.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
description VI LAN
ip address 10.0.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool l2tp-pool 192.168.151.1 192.168.151.10
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 10.0.1.1
!
ip access-list extended NAT
deny ip 10.0.2.0 0.0.0.255 192.168.151.0 0.0.0.255
permit ip 10.0.2.0 0.0.0.255 any
!
snmp-server community public RO
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 1062080B041A1B0E
transport input all
!
scheduler allocate 20000 1000
!
end
=======Cisco Router Debug Output
*Oct 31 05:01:18.966: ISAKMP (0): received packet from 10.0.1.101 dport 500 sport 500 Global (N) NEW SA
*Oct 31 05:01:18.966: ISAKMP: Created a peer struct for 10.0.1.101, peer port 500
*Oct 31 05:01:18.966: ISAKMP: New peer created peer = 0x128677F8 peer_handle = 0x80000007
*Oct 31 05:01:18.966: ISAKMP: Locking peer struct 0x128677F8, refcount 1 for crypto_isakmp_process_block
*Oct 31 05:01:18.966: ISAKMP: local port 500, remote port 500
*Oct 31 05:01:18.966: ISAKMP:(0):insert sa successfully sa = 10BF05B4
*Oct 31 05:01:18.966: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 31 05:01:18.966: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Oct 31 05:01:18.966: ISAKMP:(0): processing SA payload. message ID = 0
*Oct 31 05:01:18.966: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.966: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 31 05:01:18.966: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 31 05:01:18.966: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.966: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 31 05:01:18.966: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.966: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 31 05:01:18.966: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 31 05:01:18.966: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.966: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 31 05:01:18.966: ISAKMP:(0):found peer pre-shared key matching 10.0.1.101
*Oct 31 05:01:18.966: ISAKMP:(0): local preshared key found
*Oct 31 05:01:18.966: ISAKMP : Scanning profiles for xauth ...
*Oct 31 05:01:18.966: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Oct 31 05:01:18.966: ISAKMP: encryption 3DES-CBC
*Oct 31 05:01:18.966: ISAKMP: hash SHA
*Oct 31 05:01:18.966: ISAKMP: default group 14
*Oct 31 05:01:18.966: ISAKMP: auth pre-share
*Oct 31 05:01:18.966: ISAKMP: life type in seconds
*Oct 31 05:01:18.966: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Oct 31 05:01:18.966: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
*Oct 31 05:01:18.966: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Oct 31 05:01:18.970: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Oct 31 05:01:18.970: ISAKMP: encryption 3DES-CBC
*Oct 31 05:01:18.970: ISAKMP: hash SHA
*Oct 31 05:01:18.970: ISAKMP: default group 2
*Oct 31 05:01:18.970: ISAKMP: auth pre-share
*Oct 31 05:01:18.970: ISAKMP: life type in seconds
*Oct 31 05:01:18.970: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
*Oct 31 05:01:18.970: ISAKMP:(0):atts are acceptable. Next payload is 3
*Oct 31 05:01:18.970: ISAKMP:(0):Acceptable atts:actual life: 86400
*Oct 31 05:01:18.970: ISAKMP:(0):Acceptable atts:life: 0
*Oct 31 05:01:18.970: ISAKMP:(0):Fill atts in sa vpi_length:4
*Oct 31 05:01:18.970: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
*Oct 31 05:01:18.970: ISAKMP:(0):Returning Actual lifetime: 28800
*Oct 31 05:01:18.970: ISAKMP:(0)::Started lifetime timer: 28800.
*Oct 31 05:01:18.970: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.970: ISAKMP:(0): processing IKE frag vendor id payload
*Oct 31 05:01:18.970: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Oct 31 05:01:18.970: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.970: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 31 05:01:18.970: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.970: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Oct 31 05:01:18.970: ISAKMP:(0): vendor ID is NAT-T v2
*Oct 31 05:01:18.970: ISAKMP:(0): processing vendor id payload
*Oct 31 05:01:18.970: ISAKMP:(0): vendor ID seems Unity/DPD but major 184 mismatch
*Oct 31 05:01:18.970: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 31 05:01:18.970: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Oct 31 05:01:18.970: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 31 05:01:18.970: ISAKMP:(0): sending packet to 10.0.1.101 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Oct 31 05:01:18.970: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 31 05:01:18.970: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 31 05:01:18.970: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Oct 31 05:01:18.978: ISAKMP (0): received packet from 10.0.1.101 dport 500 sport 500 Global (R) MM_SA_SETUP
*Oct 31 05:01:18.978: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 31 05:01:18.978: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Oct 31 05:01:18.978: ISAKMP:(0): processing KE payload. message ID = 0
*Oct 31 05:01:18.994: ISAKMP:(0): processing NONCE payload. message ID = 0
*Oct 31 05:01:18.994: ISAKMP:(0):found peer pre-shared key matching 10.0.1.101
*Oct 31 05:01:18.994: ISAKMP:received payload type 20
*Oct 31 05:01:18.994: ISAKMP (2006): His hash no match - this node outside NAT
*Oct 31 05:01:18.994: ISAKMP:received payload type 20
*Oct 31 05:01:18.994: ISAKMP (2006): No NAT Found for self or peer
*Oct 31 05:01:18.994: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 31 05:01:18.994: ISAKMP:(2006):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Oct 31 05:01:18.994: ISAKMP:(2006): sending packet to 10.0.1.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 31 05:01:18.994: ISAKMP:(2006):Sending an IKE IPv4 Packet.
*Oct 31 05:01:18.998: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 31 05:01:18.998: ISAKMP:(2006):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Oct 31 05:01:19.002: ISAKMP (2006): received packet from 10.0.1.101 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Oct 31 05:01:19.002: ISAKMP:(2006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 31 05:01:19.002: ISAKMP:(2006):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Oct 31 05:01:19.002: ISAKMP:(2006): processing ID payload. message ID = 0
*Oct 31 05:01:19.002: ISAKMP (2006): ID payload
next-payload : 8
type : 1
address : 10.0.1.101
protocol : 0
port : 0
length : 12
*Oct 31 05:01:19.002: ISAKMP:(0):: peer matches *none* of the profiles
*Oct 31 05:01:19.002: ISAKMP:(2006): processing HASH payload. message ID = 0
*Oct 31 05:01:19.002: ISAKMP:(2006):SA authentication status:
authenticated
*Oct 31 05:01:19.002: ISAKMP:(2006):SA has been authenticated with 10.0.1.101
*Oct 31 05:01:19.002: ISAKMP: Trying to insert a peer 10.0.1.2/10.0.1.101/500/, and inserted successfully 128677F8.
*Oct 31 05:01:19.002: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 31 05:01:19.002: ISAKMP:(2006):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Oct 31 05:01:19.002: ISAKMP:(2006):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 31 05:01:19.002: ISAKMP (2006): ID payload
next-payload : 8
type : 1
address : 10.0.1.2
protocol : 17
port : 500
length : 12
*Oct 31 05:01:19.002: ISAKMP:(2006):Total payload length: 12
*Oct 31 05:01:19.002: ISAKMP:(2006): sending packet to 10.0.1.101 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Oct 31 05:01:19.002: ISAKMP:(2006):Sending an IKE IPv4 Packet.
*Oct 31 05:01:19.002: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 31 05:01:19.002: ISAKMP:(2006):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Oct 31 05:01:19.002: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 31 05:01:19.002: ISAKMP:(2006):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Oct 31 05:01:19.002: ISAKMP (2006): received packet from 10.0.1.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 31 05:01:19.002: ISAKMP: set new node 1534375178 to QM_IDLE
*Oct 31 05:01:19.006: ISAKMP:(2006): processing HASH payload. message ID = 1534375178
*Oct 31 05:01:19.006: ISAKMP:(2006): processing SA payload. message ID = 1534375178
*Oct 31 05:01:19.006: ISAKMP:(2006):Checking IPSec proposal 1
*Oct 31 05:01:19.006: ISAKMP: transform 1, ESP_3DES
*Oct 31 05:01:19.006: ISAKMP: attributes in transform:
*Oct 31 05:01:19.006: ISAKMP: SA life type in seconds
*Oct 31 05:01:19.006: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Oct 31 05:01:19.006: ISAKMP: SA life type in kilobytes
*Oct 31 05:01:19.006: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Oct 31 05:01:19.006: ISAKMP: encaps is 2 (Transport)
*Oct 31 05:01:19.006: ISAKMP: authenticator is HMAC-MD5
*Oct 31 05:01:19.006: ISAKMP:(2006):atts are acceptable.
*Oct 31 05:01:19.006: ISAKMP:(2006):Checking IPSec proposal 1
*Oct 31 05:01:19.006: ISAKMP: transform 2, ESP_3DES
*Oct 31 05:01:19.006: ISAKMP: attributes in transform:
*Oct 31 05:01:19.006: ISAKMP: SA life type in seconds
*Oct 31 05:01:19.006: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
*Oct 31 05:01:19.006: ISAKMP: SA life type in kilobytes
*Oct 31 05:01:19.006: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
*Oct 31 05:01:19.006: ISAKMP: encaps is 2 (Transport)
*Oct 31 05:01:19.006: ISAKMP: authenticator is HMAC-SHA
*Oct 31 05:01:19.006: ISAKMP:(2006):atts are acceptable.
*Oct 31 05:01:19.006: ISAKMP:(2006): IPSec policy invalidated proposal with error 256
*Oct 31 05:01:19.006: ISAKMP:(2006): processing NONCE payload. message ID = 1534375178
*Oct 31 05:01:19.006: ISAKMP:(2006): processing ID payload. message ID = 1534375178
*Oct 31 05:01:19.006: ISAKMP:(2006): processing ID payload. message ID = 1534375178
*Oct 31 05:01:19.006: ISAKMP:(2006):QM Responder gets spi
*Oct 31 05:01:19.006: ISAKMP:(2006):Node 1534375178, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 31 05:01:19.006: ISAKMP:(2006):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*Oct 31 05:01:19.006: ISAKMP:(2006):Node 1534375178, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*Oct 31 05:01:19.006: ISAKMP:(2006):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
*Oct 31 05:01:19.006: ISAKMP: Failed to find peer index node to update peer_info_list
*Oct 31 05:01:19.006: ISAKMP:(2006):Received IPSec Install callback... proceeding with the negotiation
*Oct 31 05:01:19.006: ISAKMP:(2006):Successfully installed IPSEC SA (SPI:0xFEA4B47B) on FastEthernet4
*Oct 31 05:01:19.010: ISAKMP:(2006): sending packet to 10.0.1.101 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 31 05:01:19.010: ISAKMP:(2006):Sending an IKE IPv4 Packet.
*Oct 31 05:01:19.010: ISAKMP:(2006):Node 1534375178, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Oct 31 05:01:19.010: ISAKMP:(2006):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
*Oct 31 05:01:19.010: ISAKMP (2006): received packet from 10.0.1.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 31 05:01:19.010: ISAKMP:(2006):deleting node 1534375178 error FALSE reason "QM done (await)"
*Oct 31 05:01:19.010: ISAKMP:(2006):Node 1534375178, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 31 05:01:19.010: ISAKMP:(2006):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
*Oct 31 05:01:53.998: ISAKMP (2006): received packet from 10.0.1.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 31 05:01:53.998: ISAKMP: set new node 202716764 to QM_IDLE
*Oct 31 05:01:53.998: ISAKMP:(2006): processing HASH payload. message ID = 202716764
*Oct 31 05:01:53.998: ISAKMP:(2006): processing DELETE payload. message ID = 202716764
*Oct 31 05:01:53.998: ISAKMP:(2006):peer does not do paranoid keepalives.
*Oct 31 05:01:53.998: ISAKMP:(2006):Enqueued KEY_MGR_DELETE_SAS for IPSEC SA (SPI:0x2AED2A28)
*Oct 31 05:01:53.998: ISAKMP:(2006):deleting node 202716764 error FALSE reason "Informational (in) state 1"
*Oct 31 05:01:54.002: ISAKMP: Failed to find peer index node to update peer_info_list
*Oct 31 05:01:54.010: ISAKMP (2006): received packet from 10.0.1.101 dport 500 sport 500 Global (R) QM_IDLE
*Oct 31 05:01:54.010: ISAKMP: set new node 649652313 to QM_IDLE
*Oct 31 05:01:54.014: ISAKMP:(2006): processing HASH payload. message ID = 649652313
*Oct 31 05:01:54.014: ISAKMP:(2006): processing DELETE payload. message ID = 649652313
*Oct 31 05:01:54.014: ISAKMP:(2006):peer does not do paranoid keepalives.
*Oct 31 05:01:54.014: ISAKMP:(2006):deleting SA reason "No reason" state (R) QM_IDLE (peer 10.0.1.101)
*Oct 31 05:01:54.014: ISAKMP:(2006):deleting node 649652313 error FALSE reason "Informational (in) state 1"
*Oct 31 05:01:54.014: ISAKMP: set new node -1577125637 to QM_IDLE
*Oct 31 05:01:54.014: ISAKMP:(2006): sending packet to 10.0.1.101 my_port 500 peer_port 500 (R) QM_IDLE
*Oct 31 05:01:54.014: ISAKMP:(2006):Sending an IKE IPv4 Packet.
*Oct 31 05:01:54.014: ISAKMP:(2006):purging node -1577125637
*Oct 31 05:01:54.014: ISAKMP:(2006):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 31 05:01:54.014: ISAKMP:(2006):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Oct 31 05:01:54.014: ISAKMP:(2006):deleting SA reason "No reason" state (R) QM_IDLE (peer 10.0.1.101)
*Oct 31 05:01:54.014: ISAKMP: Unlocking peer struct 0x128677F8 for isadb_mark_sa_deleted(), count 0
*Oct 31 05:01:54.014: ISAKMP: Deleting peer node by peer_reap for 10.0.1.101: 128677F8
*Oct 31 05:01:54.014: ISAKMP:(2006):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 31 05:01:54.014: ISAKMP:(2006):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Oct 31 05:02:09.010: ISAKMP:(2006):purging node 1534375178
*Oct 31 05:02:43.998: ISAKMP:(2006):purging node 202716764
*Oct 31 05:02:44.014: ISAKMP:(2006):purging node 649652313
*Oct 31 05:02:54.014: ISAKMP:(2006):purging SA., sa=10BF05B4, delme=10BF05B4
asked on Super User Nov 6, 2018 by 
RDK
RDK0 Answers
Nobody has answered this question yet.
User contributions licensed under CC BY-SA 3.0