Announcement

Collapse
No announcement yet.

L2tp/IPSEC remote client VPN connection fails with remote computer did not respond

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • L2tp/IPSEC remote client VPN connection fails with remote computer did not respond

    Please help i have the following problem. When i try to connect to my private lan i get the error that ' the remote computer did not respond' With PPTP i connect one time.

    The following is output from my router crypto debug comands

    1d19h: ISAKMP0:1:HW:2):SA is doing pre-shared key authentication using id type
    ID_196.27.108.49 to 192.168.0.96 for prot 3
    1d19h: ISAKMP: received ke message (2/1)
    1d19h: IPSec: Flow_switching Allocated flow for flow_id 268435457
    1d19h: IPSec: Flow_switching Allocated flow for flow_id 268435458
    1d19h: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 192.168.0.96:500
    Id: 192.168.0.96
    1d19h: ISAKMP: Locking peer struct 0x82D01E90, IPSEC refcount 1 for for stuff_ke

    1d19h: ISAKMP0:1:HW:2): Creating IPSec SAs
    1d19h: inbound SA from 192.168.0.96 to 196.27.108.49 (f/i) 0/ 0
    (proxy 192.168.0.96 to 196.27.108.49)
    1d19h: has spi 0x175E8F5C and conn_id 200 and flags 4
    1d19h: lifetime of 3600 seconds
    1d19h: lifetime of 250000 kilobytes
    1d19h: has client flags 0x0
    1d19h: outbound SA from 196.27.108.49 to 192.168.0.96 (f/i) 0/0
    (proxy 196.27.108.49 to 192.168.0.96)
    1d19h: has spi -559381573 and conn_id 201 and flags C
    1d19h: lifetime of 3600 seconds
    1d19h: lifetime of 250000 kilobytes
    1d19h: has client flags 0x0
    1d19h: IPSEC(key_engine): got a queue event with 2 kei messages
    1d19h: IPSEC(initialize_sas): ,
    (key eng. msg.) INBOUND local= 196.27.108.49, remote= 192.168.0.96,
    local_proxy= 196.27.108.49/0.0.0.0/17/1701 (type=1),
    remote_proxy= 192.168.0.96/0.0.0.0/17/1701 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac (Transport),
    lifedur= 3600s and 250000kb,
    spi= 0x175E8F5C(392073052), conn_id= 268435656, keysize= 0, flags= 0x4
    1d19h: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxie
    s and 192.168.0.96
    1d19h: IPSEC(policy_db_add_ident): src 196.27.108.49, dest 192.168.0.96, dest_po
    rt 1701

    1d19h: IPSEC(create_sa): sa created,
    (sa) sa_dest= 196.27.108.49, sa_prot= 50,
    sa_spi= 0x175E8F5C(392073052),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 268435656
    1d19h: IPSEC(create_sa): sa created,
    (sa) sa_dest= 192.168.0.96, sa_prot= 50,
    sa_spi= 0xDEA883BB(3735585723),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 268435657
    1d19h: ISAKMP0:1:HW:2): sending packet to 192.168.0.96 my_port 500 peer_port 5
    00 (R) QM_IDLE
    1d19h: ISAKMP0:1:HW:2):Node 2106257097, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_R
    EPLY
    1d19h: ISAKMP0:1:HW:2):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2

    1d19h: ISAKMP (0:268435457): received packet from 192.168.0.96 dport 500 sport 5
    00 Global (R) QM_IDLE
    1d19h: ISAKMP0:1:HW:2):deleting node 2106257097 error FALSE reason "QM done (a
    wait)"
    1d19h: ISAKMP0:1:HW:2):Node 2106257097, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
    1d19h: ISAKMP0:1:HW:2):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COM
    PLETE
    1d19h: IPSEC(key_engine): got a queue event with 1 kei messages
    1d19h: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
    1d19h: IPSEC(key_engine_enable_outbound): enable SA with spi 3735585723/50 for 1
    92.168.0.96
    1d19h: ISAKMP: received ke message (3/1)
    1d19h: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 192.168
    .0.254 dst 192.168.0.96 for SPI 0x0
    1d19h: ISAKMP: received ke message (3/1)
    1d19h: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src

    .Then this below is my C1701 cisco router config

    version 12.3
    !no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    aaa new-model
    !
    !
    aaa authentication ppp use-radius group radius
    aaa authorization network default group radius
    ip dhcp excluded-address 192.168.0.1 192.168.0.20
    !
    !
    no ip domain lookup
    ip domain name afdisgl
    ip cef
    ip ids po max-events 100
    ip ssh version 2
    vpdn enable
    !
    vpdn-group 1
    description VPN Dialin
    accept-dialin
    protocol l2tp
    virtual-template 1
    l2tp security crypto-profile l2tpprof
    no l2tp tunnel authentication
    !
    vpdn-group 2

    accept-dialin
    protocol pptp
    virtual-template 1
    !
    async-bootp dns-server 192.168.0.7
    no ftp-server write-enable
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set l2tptrans esp-des esp-md5-hmac
    mode transport
    !
    !
    crypto map l2tpmap 10 ipsec-isakmp profile l2tpprof
    set transform-set l2tptrans
    !
    !
    !
    interface FastEthernet0
    ip address 196.27.96.42 255.255.255.0 secondary
    ip address 196.27.108.49 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map l2tpmap
    !
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0
    ip nat inside
    ip virtual-reassembly
    peer default ip address pool vpn
    ppp encrypt mppe auto
    ppp authentication ms-chap ms-chap-v2 callin use-radius
    !
    interface Vlan1
    description Link to Afdis LAN
    ip address 192.168.0.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    interface Async1
    no ip address
    !
    ip local pool vpn 192.168.0.11 192.168.0.14
    ip classless
    ip route 0.0.0.0 0.0.0.0 196.27.108.1
    ip route 192.168.1.0 255.255.255.0 192.168.0.11
    ip http server
    ip http authentication local
    no ip http secure-server
    ip nat translation timeout 30
    ip nat pool ssh 196.27.108.49 196.27.108.49 netmask 255.255.255.0
    ip nat inside source list 1 interface FastEthernet0 overload
    ip nat inside source static tcp 192.168.0.25 62070 196.27.108.49 62070 extendable
    !
    !
    !
    access-list 1 remark Permit NAT traffic from 192.168.254.0/24
    access-list 1 permit 192.168.0.0 0.0.0.255
    access-list 100 permit ip any any
    !
    radius-server host 192.168.0.4 auth-port 1645 acct-port 1646
    radius-server key 7 xxxx

    please help me guys

  • #2
    Re: L2tp/IPSEC remote client VPN connection fails with remote computer did not respon

    In addition to the problem i outlined.. i am simulating a connection from the inside of my private network hence you see the my address 192.168.0.96 and 192.168.0.254 (vlan1 on the cisco router). FYI I have done similar VPN L2tp ipsec connections using ISA and Rras and had no problems thus my client configuration is okay. In fact i have tried all the possible authentication and encryption options.



    Somebody help!!!

    Comment

    Working...
    X