05-05-2016 10:57 AM - edited 03-05-2019 03:57 AM
We're trying to form an encrypted IPsec/L2TPv3 tunnel between two 2901 routers running IOS 15.4+. When we try to connect, we can see that the IPsec tunnel is up and that the xconnect session is up but no L2 traffic is traversing the tunnel. We are also able to ping each others public IP addresses.
The end systems which need to communicate through the tunnel are located on VLAN167 on RouterA and on Gi0/1 on RouterB
(Note: Actual IP addresses have been replaced in the configs below.)
ROUTER A CONFIGURATION:
version 15.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER_A
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000000
no logging console
no logging monitor
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name domaina.com
ip cef
l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
!
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
!
redundancy
!
!
!
!
!
vlan 2
name Test
!
vlan 167
name L2TPv3
!
pseudowire-class l2tpv3
encapsulation l2tpv3
protocol none
ip local interface GigabitEthernet0/0
!
!
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key <CRYPTO KEY HERE> address <ROUTER B PUBLIC IP>
!
!
crypto ipsec transform-set ROUTERB esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map ROUTERB 100 ipsec-isakmp
set peer <ROUTER B PUBLIC IP>
set transform-set ROUTERB
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description OUTSIDE
ip address <ROUTER A PUBLIC IP>
ip virtual-reassembly in
duplex auto
speed auto
crypto map ROUTERB
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
description SWITCH UPLINK
switchport trunk allowed vlan 1,2,167,1002-1005
switchport mode trunk
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface GigabitEthernet0/1/4
no ip address
!
interface GigabitEthernet0/1/5
no ip address
!
interface GigabitEthernet0/1/6
no ip address
!
interface GigabitEthernet0/1/7
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
description Test
ip address 192.168.0.1 255.255.255.0
!
interface Vlan167
description L2TPv3
no ip address
xconnect <ROUTER B PUBLIC IP> 1 encapsulation l2tpv3 manual pw-class l2tpv3
l2tp id 100 200
l2tp cookie local 4 100
l2tp cookie remote 4 200
l2tp hello l2tp-defaults
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 <DEFAULT GATEWAY HERE>
!
access-list 100 permit ip host <ROUTER A PUBLIC IP> host <ROUTER B PUBLIC IP>
ROUTER B CONFIGURATION:
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_B
!
boot-start-marker
boot-end-marker
!
!
!
!
default-router <ROUTER B PUBLIC IP>
!
!
!
no ip bootp server
ip domain name domainb.com
ip cef
l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
!
!
no cdp run
!
ip ssh time-out 90
ip ssh authentication-retries 2
pseudowire-class l2tpv3
encapsulation l2tpv3
protocol none
ip local interface Dialer0
!
!
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key <CRYPTO KEY HERE> address <ROUTER A PUBLIC IP>
!
!
crypto ipsec transform-set ROUTERA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map ROUTERA 100 ipsec-isakmp
set peer <ROUTER A PUBLIC IP>
set transform-set ROUTERA
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
xconnect <ROUTER A PUBLIC IP> 1 encapsulation l2tpv3 manual pw-class l2tpv3
l2tp id 200 100
l2tp cookie local 4 200
l2tp cookie remote 4 100
l2tp hello l2tp-defaults
!
interface Dialer0
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname <USERNAME HERE>
ppp chap password 0 <PASSWORD HERE>
crypto map ROUTERA
!
!
ip forward-protocol nd
!
no ip http server
!
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT
permit ip 192.168.0.0 0.0.0.255 any
permit ip host 0.0.0.0 any
!
!
!
access-list 1 permit <ROUTER A PUBLIC IP>
access-list 1 permit <ROUTER B PUBLIC IP>
access-list 100 permit ip host <ROUTER B PUBLIC IP> host <ROUTER A PUBLIC IP>
Solved! Go to Solution.
05-06-2016 12:49 AM
xconnect usually needs to be done on routed ports, not switch ports. There are some exceptions, but don't get down that path unless you want complications.
So on router 'A', plug gig0/1 into whatever vlan you wanted connected, and do the xconnect on that interface.
05-06-2016 12:49 AM
xconnect usually needs to be done on routed ports, not switch ports. There are some exceptions, but don't get down that path unless you want complications.
So on router 'A', plug gig0/1 into whatever vlan you wanted connected, and do the xconnect on that interface.
05-08-2016 06:54 PM
You're correct! The connection works after I moved the xconnect to Gi0/1.
It's interesting to note that this actually works if both ends setup their xconnects on switch port SVI's.
05-08-2016 07:49 PM
xconnect on a routed port (like Gig0/1) encapsulates the dot1q tag - so it can be a full 802.1q trunk.
When you do it on a vlan it doesn't encapsulate the dot1q tag.
04-25-2024 11:49 PM
LAN1<----->Router1<+++WAN++> Router2<====portchannel==>LAN2
does l2tpv3 supports from port channel interface of one side and physical interface on other side or port channel on both sides.
in above example if i have to establish L2 tunnel over the WAN between LAN1 and LAN2 then will that work?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide