Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2748
Views
0
Helpful
4
Replies

L2TPv3 tunnel between Cisco 2901's

Go to solution
earsenov1
Level 1
Level 1

‎05-05-2016 10:57 AM - edited ‎03-05-2019 03:57 AM

We're trying to form an encrypted IPsec/L2TPv3 tunnel between two 2901 routers running IOS 15.4+.  When we try to connect, we can see that the IPsec tunnel is up and that the xconnect session is up but no L2 traffic is traversing the tunnel.  We are also able to ping each others public IP addresses.

The end systems which need to communicate through the tunnel are located on VLAN167 on RouterA and on Gi0/1 on RouterB

(Note: Actual IP addresses have been replaced in the configs below.)


ROUTER A CONFIGURATION:
version 15.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ROUTER_A
!
boot-start-marker
boot-end-marker
!
!
logging buffered 10000000
no logging console
no logging monitor
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name domaina.com
ip cef
l2tp-class l2tp-defaults
 retransmit initial retries 30
 cookie size 8
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
!
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
vtp mode transparent
!
redundancy
!
!
!
!
!
vlan 2
 name Test
!
vlan 167
 name L2TPv3
!
pseudowire-class l2tpv3
 encapsulation l2tpv3
 protocol none
 ip local interface GigabitEthernet0/0
!
!
!
crypto isakmp policy 100
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <CRYPTO KEY HERE> address <ROUTER B PUBLIC IP>
!
!
crypto ipsec transform-set ROUTERB esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map ROUTERB 100 ipsec-isakmp
 set peer <ROUTER B PUBLIC IP>
 set transform-set ROUTERB
 match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description OUTSIDE
 ip address <ROUTER A PUBLIC IP>
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map ROUTERB
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1/0
 description SWITCH UPLINK
 switchport trunk allowed vlan 1,2,167,1002-1005
 switchport mode trunk
 no ip address
!
interface GigabitEthernet0/1/1
 no ip address
!
interface GigabitEthernet0/1/2
 no ip address
!
interface GigabitEthernet0/1/3
 no ip address
!
interface GigabitEthernet0/1/4
 no ip address
!
interface GigabitEthernet0/1/5
 no ip address
!
interface GigabitEthernet0/1/6
 no ip address
!
interface GigabitEthernet0/1/7
 no ip address
!
interface Vlan1
 no ip address
!
interface Vlan2
 description Test
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan167
 description L2TPv3
 no ip address
 xconnect <ROUTER B PUBLIC IP> 1 encapsulation l2tpv3 manual pw-class l2tpv3
  l2tp id 100 200
  l2tp cookie local 4 100
  l2tp cookie remote 4 200
  l2tp hello l2tp-defaults
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 <DEFAULT GATEWAY HERE>
!
access-list 100 permit ip host <ROUTER A PUBLIC IP> host <ROUTER B PUBLIC IP>



ROUTER B CONFIGURATION:
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER_B
!
boot-start-marker
boot-end-marker
!
!
!
!
default-router <ROUTER B PUBLIC IP>
!
!
!
no ip bootp server
ip domain name domainb.com
ip cef
l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
cts logging verbose
!
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
!
redundancy
!
!
!
!
no cdp run
!
ip ssh time-out 90
ip ssh authentication-retries 2
pseudowire-class l2tpv3
encapsulation l2tpv3
protocol none
ip local interface Dialer0
!
!
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key <CRYPTO KEY HERE> address <ROUTER A PUBLIC IP>
!
!
crypto ipsec transform-set ROUTERA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map ROUTERA 100 ipsec-isakmp
set peer <ROUTER A PUBLIC IP>
set transform-set ROUTERA
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
no ip address
ip virtual-reassembly in
duplex auto
speed auto
xconnect <ROUTER A PUBLIC IP> 1 encapsulation l2tpv3 manual pw-class l2tpv3
  l2tp id 200 100
  l2tp cookie local 4 200
  l2tp cookie remote 4 100
  l2tp hello l2tp-defaults
!
interface Dialer0
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname <USERNAME HERE>
ppp chap password 0 <PASSWORD HERE>
crypto map ROUTERA
!
!
ip forward-protocol nd
!
no ip http server
!
no ip nat service sip udp port 5060
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT
permit ip 192.168.0.0 0.0.0.255 any
permit ip host 0.0.0.0 any
!
!
!
access-list 1 permit <ROUTER A PUBLIC IP>
access-list 1 permit <ROUTER B PUBLIC IP>
access-list 100 permit ip host <ROUTER B PUBLIC IP> host <ROUTER A PUBLIC IP>

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎05-06-2016 12:49 AM

xconnect usually needs to be done on routed ports, not switch ports.  There are some exceptions, but don't get down that path unless you want complications.

So on router 'A', plug gig0/1 into whatever vlan you wanted connected, and do the xconnect on that interface.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎05-06-2016 12:49 AM

xconnect usually needs to be done on routed ports, not switch ports.  There are some exceptions, but don't get down that path unless you want complications.

So on router 'A', plug gig0/1 into whatever vlan you wanted connected, and do the xconnect on that interface.

0 Helpful

Go to solution
earsenov1
Level 1
Level 1
In response to Philip D'Ath

‎05-08-2016 06:54 PM

You're correct!  The connection works after I moved the xconnect to Gi0/1.

It's interesting to note that this actually works if both ends setup their xconnects on switch port SVI's.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to earsenov1

‎05-08-2016 07:49 PM

xconnect on a routed port (like Gig0/1) encapsulates the dot1q tag - so it can be a full 802.1q trunk.

When you do it on a vlan it doesn't encapsulate the dot1q tag.

0 Helpful

Go to solution
rohitSan
Level 1
Level 1

‎04-25-2024 11:49 PM

LAN1<----->Router1<+++WAN++> Router2<====portchannel==>LAN2

does l2tpv3 supports from port channel interface of one side and physical interface on other side or port channel on both sides.
in above example if i have to establish L2 tunnel over the WAN between LAN1 and LAN2 then will that work?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card