Mac OS X L2TP VPN to Cisco IOS

Just spent a couple of hours trying to get a Mac OS X laptop connected to a Cisco IOS IPSEC/L2TP server. The existing configuration worked fine for windows and linux servers but the Mac just refused to establish a connection. The Cisco logs contained the usual cryptic message.

Dec 16 16:53:47.955: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 117.53.171.241, remote= 124.171.30.131,.
    local_proxy= 117.53.171.241/255.255.255.255/17/1701 (type=1),.
    remote_proxy= 124.171.30.131/255.255.255.255/17/1701 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Transport-UDP),.
    lifedur= 0s and 0kb,.
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800
Dec 16 16:53:47.955: Crypto mapdb : proxy_match
    src addr     : 117.53.171.241
    dst addr     : 124.171.30.131
    protocol     : 17
    src port     : 1701
    dst port     : 49561
Dec 16 16:53:47.955: map_db_find_best did not find matching map
Dec 16 16:53:47.955: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address A.B.C.D

After much googling I discovered that the problem was dst port: 49561 . Unlike most other L2TP clients the Mac uses a random source port for the L2TP part of the connection. Most others use 1701 for source and destination.

So relaxing this

ip access-list extended L2TP
 permit udp host 117.53.171.241 eq 1701 any eq 1701

to this

ip access-list extended L2TP
 permit udp host 117.53.171.241 eq 1701 any

solved the problem.

It would now normally be the time for me to rant about how IPSEC has to be one of the most badly implemented protocols by all vendors and how getting two different implementations to talk to each other always takes a minimum of 2 hours even if you’ve done it before but it would just be too exhausting.

5 thoughts on “Mac OS X L2TP VPN to Cisco IOS

  1. Hi John,

    I have been having the same problems with connecting Mac OS via L2TP/IPSec. Where does that access list need to be applied? Would you be able to paste me your full configuration?

    Cheers,
    Phil.

    1. Hi Phil,

      The ACL needs to be applied to the crypto map. The basic config looks something like

      vpdn enable
      !
      vpdn-group L2TP
      ! Default L2TP VPDN group
      description L2TP Clients
      accept-dialin
      protocol l2tp
      virtual-template 1
      no l2tp tunnel authentication
      !
      crypto keyring L2TP
      pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET
      !
      crypto isakmp policy 10
      encr 3des
      authentication pre-share
      group 2
      ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac.
      mode transport
      !
      crypto dynamic-map L2TP 10
      set nat demux
      set transform-set 3DES-SHA-TRANS
      match address L2TP
      !
      crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP
      !
      interface Virtual-Template1
      ip unnumbered Loopback0
      no peer default ip address
      ppp mtu adaptive
      ppp authentication ms-chap vpdn
      ppp authorization vpdn
      ppp accounting vpdn

      The above config is probably missing the IP pool setup since I do that via RADIUS

      Cheers,
      John

  2. Hi John,

    I’m trying to realize a l2tp vpn from the Mac OS X native client to a Cisco router, so this is the same scenario of your post.

    Obviously the connection isn’t working and I cannot understand the reason. I activated several debug on the router in order to see what happens, but I don’t see any useful info. From the Mac OS X side, I can only see that the connection is refused, nothing more.

    I don’t know if it’s relevant, but the Mac OS X box is behind a router that does NAT, so the network diagram is:

    MAC OS X —-> NAT ROUTER —–INTERNET CLOUD———>CISCO ROUTER

    Pls can you help me?

    This is my relevant config:

    ###################################################################
    aaa new-model
    !
    !
    aaa authentication ppp default local
    !
    crypto keyring L2TP
    pre-shared-key address 0.0.0.0 0.0.0.0 key PASSWORD
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    !
    !
    crypto ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac
    mode transport
    !
    crypto dynamic-map L2TP 10
    set nat demux
    set transform-set 3DES-SHA-TRANS
    match address L2TP
    !
    !
    !
    crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP
    !
    !
    vpdn enable
    !
    vpdn-group 1
    ! Default L2TP VPDN group
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    !
    interface Loopback0
    ip address 1.1.1.1 255.255.255.255
    !
    interface FastEthernet0/0
    ip address PUBLIC-IP-ADDRESS 255.255.255.252
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map INTERNET
    !
    interface Virtual-Template1
    ip unnumbered Loopback0
    peer default ip address pool remote_clients_pool
    ppp mtu adaptive
    ppp authentication chap ms-chap
    !
    ip local pool remote_clients_pool 192.168.100.1 192.168.100.254
    no ip classless
    ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
    !
    ip access-list extended L2TP
    permit udp any eq 1701 any
    !
    ####################################################################

    Thank you in advance,

    Kind Regards – Daniele (from Italy)

    1. @Daniele: Is it possible that your NAT router is blocking outbound connections? Connection refused looks like something in the path is blocking the UDP packets. Try using tcpdump on the Mac OS X client to see if you can work out what’s sending the ICMP packet.

  3. @John: thank you for the reply. I tried to give to the Mac a public ip address, in order to avoid nat-related problems, but this didn’t fix the issue. Anyway I have a doubt about my (and your) config…the command crypto keyring should be applied to a crypto isakmp profile, or am I wrong?

    From Cisco Command Reference:
    #############################################
    Usage Guidelines

    A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.

    Examples
    The following example shows that a keyring and its usage have been defined:

    crypto keyring vpnkeys
    pre-shared-key address 10.72.23.11 key vpnsecret

    crypto isakmp profile vpnprofile
    keyring vpnkeys
    #############################################

    Regards – Daniele

Leave a Reply

Your email address will not be published. Required fields are marked *