Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1257
Views
10
Helpful
9
Replies

VPN L2TP + ipsec routing problem

r_m
Level 1
Level 1

‎08-31-2021 01:30 PM - edited ‎08-31-2021 02:59 PM

Hi everyone,

   I have this L2TP + IPSEC configuration, I can get authentication but I have no ability to ping the internal class and not even get wan connection.
I've probably made mistakes.
Thanks for your help.

 

 

!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
!
!
!
!
!
!
aaa session-id common
clock timezone UTC 2 0
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.99
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.128
 default-router 10.10.10.1 
 dns-server 10.10.10.1 
 lease 0 2
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
! 
! 
! 
! 
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp-group
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-4099755788
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4099755788
 revocation-check none
 rsakeypair TP-self-signed-4098
!
crypto pki trustpoint SLA-TrustPoint
 enrollment pkcs12
 revocation-check crl
!
!

!
no license feature hseck9
license udi pid C1127X-8PLTEP sn
license boot level securityk9
license smart url https://tools.cisco.com/its/service/oddce/services/DDCEService
license smart url smart https://tools.cisco.com/its/service/oddce/services/DDCEService
license smart transport callhome
memory free low-watermark processor 71830
!
!
!
!
!
object-group network local_lan_subnets 
 10.10.10.0 255.255.255.128
!
object-group network vpn_remote_subnets 
 192.168.168.0 255.255.255.0
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username cisco privilege 15 secret 9 $9$.VFyVFBlpPIigk$LZM0MdxrlOUG/fz.GodgdTfnj3W2i60POesjHWIi9UcWs
username vpn password 0 1111111111
!
redundancy
 mode none
!
!
!
!
controller VDSL 0/3/0
 operating mode vdsl2
!
!
vlan internal allocation policy ascending
!
! 
!
!
!
!
!
crypto isakmp policy 1
 encryption 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key 1234567890 address 0.0.0.0        
!
!
crypto ipsec transform-set l2tp-ipsec-transport-esp esp-3des esp-sha-hmac 
 mode transport
!
!
!
crypto dynamic-map my-dynamic-map 1
 set nat demux
 set transform-set l2tp-ipsec-transport-esp 
!
!
crypto map my-static-map 1 ipsec-isakmp dynamic my-dynamic-map 
!
!
!
!
! 
! 
!
!
interface Loopback0
 ip address 192.168.168.1 255.255.255.0
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface ATM0/3/0
 no ip address
 shutdown
 atm oversubscribe factor 2
!
interface Ethernet0/3/0
 no ip address
 no negotiation auto
!
interface Ethernet0/3/0.835
 encapsulation dot1Q 835
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Virtual-Template1
 ip unnumbered Dialer1
 ip nat inside
 peer default ip address pool l2tp-pool
 ppp authentication ms-chap-v2
 ip virtual-reassembly
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.128
 ip nat inside
 ip tcp adjust-mss 1452
 ip virtual-reassembly
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp mtu adaptive
 ppp authentication chap pap callin
 ppp chap hostname 1234567890@alicebiz.routed
 ppp chap password 0 xxxxx
 ppp pap sent-username 1234567890@alicebiz.routed password 0 xxxxx
 ppp ipcp dns request
 crypto map my-static-map
 ip virtual-reassembly
!
ip local pool l2tp-pool 192.168.168.5 192.168.168.10
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface Dialer1
ip forward-protocol nd
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip access-list extended nat-list
 10 deny   ip object-group local_lan_subnets object-group vpn_remote_subnets
 20 permit ip object-group local_lan_subnets any
 30 permit ip object-group vpn_remote_subnets any
!
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line vty 0 4
 login
 transport input telnet ssh
line vty 5 15
 login
 transport input telnet ssh
!
call-home
 contact-email-addr 
 profile "CiscoTAC-1"
  active
  destination transport-method http
ntp master
ntp server europe.pool.ntp.org
!
!
!
!
!
!
end
Labels:
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎08-31-2021 02:18 PM 

 I can get authentication but I have no ability to ping the internal class and not even get wan connection.

before i read the configuration and advise, please clarity here

 

when did you mention ping internal means ? Local Lan network where you initiated to connect to a remote network?

or after connecting to a remote network (remote Lan ?)

 

If you lost the Local network after you connecting the L2TP, you need a split tunnel to access local resources.

 

Once you clarify this - then i can look the config.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

r_m
Level 1
Level 1
In response to balaji.bandi

‎08-31-2021 02:54 PM - edited ‎08-31-2021 02:55 PM

I cannot ping from 10.10.10.0 to 192.168.168.0 and reverse.

I keep pings from 10.10.10.0 to 8.8.8.8 correctly while I have no ping from 192.168.168.0 to 8.8.8.8

balaji.bandi
Hall of Fame
Hall of Fame
In response to r_m

‎08-31-2021 03:17 PM

explain what is the Local IP, what is remote IP, you need split tunnel i guess here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

r_m
Level 1
Level 1
In response to balaji.bandi

‎08-31-2021 09:54 PM

Local IP 10.10.10.0 

Remote IP 192.168.168.0

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to r_m

‎09-01-2021 12:11 AM

as per the config, you have LAN IP address 10.x.x.x.x and remote access I range 192.168.,x.x , when you connecting the device? what is your Local IP address before connecting to L2vpn ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

r_m
Level 1
Level 1
In response to balaji.bandi

‎09-01-2021 03:09 AM

the class of local ip address before the L2 connection is 192.168.86.0

0 Helpful

MHM Cisco World
VIP
VIP

‎09-01-2021 10:39 AM

L2TP + IPSec 

L2TP is build between LAC  and LNS, 
IPSec can protect this P2P connection by config IPSec with policy ACL host "ip of LAC initiate the L2TP" host "ip of LNS terminate the L2TP".

 

so why there is no policy ACL and there is IPSec dyamnic ?

0 Helpful

r_m
Level 1
Level 1
In response to MHM Cisco World

‎09-02-2021 01:16 PM

thanks for the directions but I am a novice and I was unable to apply the solution, do you have any suggestions for my configuration?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card