Well guys I labbed this back up in GNS 3 this evening, and the only way i could get this to even remotely work is if I used the default remote access tunnel group.
tunnel-group DefaultRAGroup If i used any other arbitrary name I got the cant find valid tunnel group error. So my question is how did the guys get the following solution to work if its not supported by the device? tunnel-group pixL2TP type ipsec-ra tunnel-group pixL2TP general-attributes address-pool P42 default-group-policy pL2TP tunnel-group pixL2TP ipsec-attributes pre-shared-key * Note i said remotely work, cause although the debug output got to phase 2 complete the tunnel never established as the user name and password kept constantly failing with invalid password even though i tested this account and it was fine. I tried all the methods for ppp authentication under the tunnel-group but none would work. So once again I'm stumped. Sods law ill get this in the lab tho :-( Stu On Sun, Feb 1, 2009 at 5:06 PM, Stuart Hare <stuart.h...@googlemail.com>wrote: > Hey timur > > I too thought it was the ipsec sa so tried a combination of all with no > change. I didn't try changing the pool as suggested though. > I have successfully used the pool in this way many times but as u say not > sure whether it's a problem in this scenario or not.. > > Sent from my iPhone > > On 1 Feb 2009, at 16:54, Timur Snoke <tsn...@hotmail.com> wrote: > > what happens if you change your transform set from md5 to sha? > > in Richard Deal's book The Complete VPN he mentions that sha is not > supported in every combination but md5 is. > the only other difference that I saw was the ip pool for the vpn client... > in the pg it is > ip local pool P42 192.168.99.0 mask 255.255.255.0 > > in yours it is > ip local pool VPN 192.168.99.1-192.168.99.254 mask 255.255.255.0 > > Is there a right way to do the local pool on a pix? is one classful and the > other providing the opportunity to carve out part of a classfull allocation? > > Everything else looks fine. > > Timur Snoke > > > > > ------------------------------ > > Date: Sun, 1 Feb 2009 16:20:15 +0000 > From: stuart.h...@googlemail.com > To: ccie_security@onlinestudylist.com > Subject: [OSL | CCIE_Security] Proctor Labs EBook lab 3 > > > Guys, > > Ive completed the Proctor labs Security Ebook lab 3 on POD 106 today, and > had some issues with tunnel groups while doing a L2TP with IPsec to the PIX. > > The question asked to allow a VPN from any source to connect to the PIX > without the use of a vpn client. > Whenever i tried to connect to the PIX via the XP workstation it would > timeout and the PIX log would display the following meesage. > > IX-4-713903: Group = 192.1.49.100, IP = 192.1.49.100, Can't find a valid > tunnel group, aborting...! > %PIX-7-715065: Group = 192.1.49.100, IP = 192.1.49.100, IKE MM Responder > FSM error history (struct &0x28e7d58) <state>, <event>: MM_DONE, > EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, > EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, > EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, > NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY > %PIX-7-713906: Group = 192.1.49.100, IP = 192.1.49.100, IKE SA MM:dc270f2c > terminating: flags 0x01000002, refcnt 0, tuncnt 0 > > This is a new on me. Ive not had a huge amount of exposure to L2TP but > thought I had covered all the bases. > Tunnel groups, group policies dynamic maps etc. > > Even tried the solution config but still the same. > Any thoughts would be appreciated? > > (Full config and log attached!) > > thanks > Stu > > > -- > Stuart Hare > > stuart.h...@gmail.com > > > > ------------------------------ > Windows Live™ Hotmail(R)…more than just e-mail. See how it > works.<http://windowslive.com/howitworks?ocid=TXT_TAGLM_WL_t2_hm_justgotbetter_howitworks_012009> > > -- Stuart Hare stuart.h...@gmail.com -- Stuart Hare stuart.h...@gmail.com
