Just spent a couple of hours trying to get a Mac OS X laptop connected to a Cisco IOS IPSEC/L2TP server. The existing configuration worked fine for windows and linux servers but the Mac just refused to establish a connection. The Cisco logs contained the usual cryptic message.
Dec 16 16:53:47.955: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 117.53.171.241, remote= 124.171.30.131,.
local_proxy= 117.53.171.241/255.255.255.255/17/1701 (type=1),.
remote_proxy= 124.171.30.131/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Transport-UDP),.
lifedur= 0s and 0kb,.
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800
Dec 16 16:53:47.955: Crypto mapdb : proxy_match
src addr : 117.53.171.241
dst addr : 124.171.30.131
protocol : 17
src port : 1701
dst port : 49561
Dec 16 16:53:47.955: map_db_find_best did not find matching map
Dec 16 16:53:47.955: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address A.B.C.D
After much googling I discovered that the problem was dst port: 49561 . Unlike most other L2TP clients the Mac uses a random source port for the L2TP part of the connection. Most others use 1701 for source and destination.
So relaxing this
ip access-list extended L2TP permit udp host 117.53.171.241 eq 1701 any eq 1701
to this
ip access-list extended L2TP permit udp host 117.53.171.241 eq 1701 any
solved the problem.
It would now normally be the time for me to rant about how IPSEC has to be one of the most badly implemented protocols by all vendors and how getting two different implementations to talk to each other always takes a minimum of 2 hours even if you’ve done it before but it would just be too exhausting.
Hi John,
I have been having the same problems with connecting Mac OS via L2TP/IPSec. Where does that access list need to be applied? Would you be able to paste me your full configuration?
Cheers,
Phil.
Hi Phil,
The ACL needs to be applied to the crypto map. The basic config looks something like
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
description L2TP Clients
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac.
mode transport
!
crypto dynamic-map L2TP 10
set nat demux
set transform-set 3DES-SHA-TRANS
match address L2TP
!
crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP
!
interface Virtual-Template1
ip unnumbered Loopback0
no peer default ip address
ppp mtu adaptive
ppp authentication ms-chap vpdn
ppp authorization vpdn
ppp accounting vpdn
The above config is probably missing the IP pool setup since I do that via RADIUS
Cheers,
John
Hi John,
I’m trying to realize a l2tp vpn from the Mac OS X native client to a Cisco router, so this is the same scenario of your post.
Obviously the connection isn’t working and I cannot understand the reason. I activated several debug on the router in order to see what happens, but I don’t see any useful info. From the Mac OS X side, I can only see that the connection is refused, nothing more.
I don’t know if it’s relevant, but the Mac OS X box is behind a router that does NAT, so the network diagram is:
MAC OS X —-> NAT ROUTER —–INTERNET CLOUD———>CISCO ROUTER
Pls can you help me?
This is my relevant config:
###################################################################
aaa new-model
!
!
aaa authentication ppp default local
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key PASSWORD
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map L2TP 10
set nat demux
set transform-set 3DES-SHA-TRANS
match address L2TP
!
!
!
crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP
!
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address PUBLIC-IP-ADDRESS 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map INTERNET
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool remote_clients_pool
ppp mtu adaptive
ppp authentication chap ms-chap
!
ip local pool remote_clients_pool 192.168.100.1 192.168.100.254
no ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
!
ip access-list extended L2TP
permit udp any eq 1701 any
!
####################################################################
Thank you in advance,
Kind Regards – Daniele (from Italy)
@Daniele: Is it possible that your NAT router is blocking outbound connections? Connection refused looks like something in the path is blocking the UDP packets. Try using tcpdump on the Mac OS X client to see if you can work out what’s sending the ICMP packet.
@John: thank you for the reply. I tried to give to the Mac a public ip address, in order to avoid nat-related problems, but this didn’t fix the issue. Anyway I have a doubt about my (and your) config…the command crypto keyring should be applied to a crypto isakmp profile, or am I wrong?
From Cisco Command Reference:
#############################################
Usage Guidelines
A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.
Examples
The following example shows that a keyring and its usage have been defined:
crypto keyring vpnkeys
pre-shared-key address 10.72.23.11 key vpnsecret
crypto isakmp profile vpnprofile
keyring vpnkeys
#############################################
Regards – Daniele