Cisco ASA 5505 - L2TP over IPsec
- by xraminx
I have followed this document on cisco site to set up the L2TP over IPsec connection.
When I try to establish a VPN to ASA 5505 from my Windows XP, after I click on "connect" button, the "Connecting ...." dialog box appears and after a while I get this error message:
Error 800: Unable to establish VPN connection. The VPN server may be unreachable, or security parameters may not be configured properly for this connection.
ASA version 7.2(4)
ASDM version 5.2(4)
Windows XP SP3
Windows XP and ASA 5505 are on the same LAN for test purposes.
Edit 1:
There are two VLANs defined on the cisco device (the standard setup on cisco ASA5505). 
- port 0 is on VLAN2, outside; 
- and ports 1 to 7 on VLAN1, inside. 
I run a cable from my linksys home router (10.50.10.1) to the cisco ASA5505 router on port 0 (outside).
Port 0 have IP 192.168.1.1 used internally by cisco and I have also assigned the external IP 10.50.10.206 to port 0 (outside). 
I run a cable from Windows XP to Cisco router on port 1 (inside). Port 1 is assigned an IP from Cisco router 192.168.1.2. 
The Windows XP is also connected to my linksys home router via wireless (10.50.10.141).
Edit 2: 
When I try to establish vpn, the Cisco device real time Log viewer shows 7 entries like this: 
Severity:5 Date:Sep 15 2009 Time: 14:51:29 SyslogID: 713904 
Destination IP = 10.50.10.141, 
Decription: No crypto map bound to interface... dropping pkt
Edit 3:
This is the setup on the router right now.
Result of the command: "show run"
: Saved
:
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password HGFHGFGHFHGHGFHGF encrypted
passwd NMMNMNMNMNMNMN encrypted
names
name 192.168.1.200 WebServer1
name 10.50.10.206 external-ip-address
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address external-ip-address 255.0.0.0 
!
interface Vlan3
 no nameif
 security-level 50
 no ip address
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service l2tp udp
 port-object eq 1701
access-list outside_access_in remark Allow incoming tcp/http
access-list outside_access_in extended permit tcp any host WebServer1 eq www 
access-list outside_access_in extended permit udp any any eq 1701 
access-list inside_nat0_outbound extended permit ip any 192.168.1.208 255.255.255.240 
access-list inside_cryptomap_1 extended permit ip interface outside interface inside 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool PPTP-VPN 192.168.1.210-192.168.1.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www WebServer1 www netmask 255.255.255.255 
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto map outside_map 1 match address inside_cryptomap_1
crypto map outside_map 1 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map interface inside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username myusername password FGHFGHFHGFHGFGFHF nt-encrypted
tunnel-group DefaultRAGroup general-attributes
 address-pool PPTP-VPN
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
!
prompt hostname context 
Cryptochecksum:a9331e84064f27e6220a8667bf5076c1
: end