Saturday, September 29, 2007

CISCO ASA and Getting Mac/Windows L2TP To Work

Symptom:

You used the VPN Wizard in CISCO ASA's ASDM to create an L2TP configuration, but it does not work.

You look at the ASA Log and it says something to the effect that no acceptable SAs.

What Fixed:

Know that the Mac and PC will connect through the DefaultRAGroup therefore if you are doing a pre-shared key, it must be set right there. If you are not going through Phase 1, check that first.

If you are going through the Pase 1 then you are likely that the TRANSPORT mode of IPSec is not included in your Dynamic IPSec policy.

Check the following,

crypto dynamic-map Extranet_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA ESP-AES-256-MD5 ESP-3DES-SHA

Finally if you are using the user account with the ASA itself, then the user password must be encrypted using nt-encrypted keyword. I would just telnet to the ASA and type that in. I am not sure if you are using both the CISCO client and L2TP, both ASA native mode of encryption and the nt encryption are allowed, so I have created a second user name for the purpose of logging on via L2TP.

username bozo password xyzzy nt-encrypted

Total Time To Figure Out This Issue

Approximately 4 hours.

No comments: