Re: PIA VPN Virtual-PPP1 not coming up.

ryantalevski · ‎10-29-2018

I have configured L2TP vpn to Private Internet Access (PIA) on my router but the virtual-ppp1 interface is up but line protocol is down.

I have been over my config and can't figure out what is wrong.

I have a dialer interface to my ISP and that is up and up.

Here is my config;

login as: 
Using keyboard-interactive authentication.
Password:

********************************************************************************
*               UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED               *
*     You must have explicit, authorized permission to access or configure     *
*                                 this device.                                 *
* Unauthorized attempts and actions to access or use this system may result in *
*                       civil and/or criminal penalties.                       *
*      All activities performed on this device are logged and monitored.       *
*                                                                              *
*                          Property of xxxxxxxxxxxxx                           *
********************************************************************************

Please check that you are on the correct switch:
        Switch Name     : SW-Rtr_Core_897-1
        Site Name       : Home



SW-Rtr_Core_897-1#show run
Building configuration...

Current configuration : 15592 bytes
!
! Last configuration change at 13:56:49 BST Mon Oct 29 2018 by 
! NVRAM config last updated at 13:51:58 BST Mon Oct 29 2018 by 
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname SW-Rtr_Core_897-1
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.154-3.M9.bin
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$IddG$4VYKgwZ4FGQwAD6RCtst.1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login SSLVPN_AAA local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
clock timezone BST 1 0
!
crypto pki trustpoint SSLVPN_CERT
 enrollment selfsigned
 subject-name CN=fdenofa-SSLVPN.cisco.com
 revocation-check crl
 rsakeypair SSLVPN_KEYPAIR
!
!
crypto pki certificate chain SSLVPN_CERT
 certificate self-signed 01
  3082037A 30820262 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  56312130 1F060355 04031318 6664656E 6F66612D 53534C56 504E2E63 6973636F
  2E636F6D 3131302F 06092A86 4886F70D 01090216 2253572D 5274725F 436F7265
  5F383937 2D312E72 79616E74 616C6576 736B692E 636F6D30 1E170D31 38303932
  33313830 3431315A 170D3230 30313031 30303030 30305A30 56312130 1F060355
  04031318 6664656E 6F66612D 53534C56 504E2E63 6973636F 2E636F6D 3131302F
  06092A86 4886F70D 01090216 2253572D 5274725F 436F7265 5F383937 2D312E72
  79616E74 616C6576 736B692E 636F6D30 82012230 0D06092A 864886F7 0D010101
  05000382 010F0030 82010A02 82010100 A1E160B2 B36B4286 8C1D3CBC EB1FC3CE
  08A75EC8 3ED6CACA 3D2FA814 DDF038FD 5DAC3E7C BDE2903A 7D472535 0785BF75
  93614405 D21349F6 23D41A02 20B4C19F CB499364 16BE7BC9 318A0E76 CB10D897
  E73279C1 7970AA17 9A117533 48AACE4A 0CCE7601 9CB0B3AB DBEA4F94 3571D7E1
  FE408FF6 A3DC8841 53A10E5D 1EAE1883 1B0AE669 6CB3D8F0 5A575DF9 1B426C18
  4BBCBE00 6CF2590C E591ACE7 005FCE3F 01FC76FE 877EA1B2 28383845 84CC6F59
  03F9DFEA A4E92BDF D3F61804 FE57B9C7 DCEC9F69 970CF5A7 DEE00B28 4540714D
  8144DFDE 0EDDA758 761DA288 4FEC872A 053EE354 089E7BF6 E82482BC C099E263
  CAF3DEAA DC20A011 A2BCE09A 39BE3017 02030100 01A35330 51300F06 03551D13
  0101FF04 05300301 01FF301F 0603551D 23041830 16801443 11BB3B31 EC90923F
  A34178EC 5630DE33 15FAC830 1D060355 1D0E0416 04144311 BB3B31EC 90923FA3
  4178EC56 30DE3315 FAC8300D 06092A86 4886F70D 01010505 00038201 010077DC
  AE38567D 6C8AAD79 6B417273 EC639ABA C536A798 0FA51933 5E7A5D75 F57499A7
  93083149 AE456C6C D03F7AF0 68DFE8FF A412514F AEE9B1F4 5134D1FE 8DA0C9E8
  25BADFC1 D75BE127 85E31361 96529397 7C194144 1C528645 2D86674F 68B58423
  837936C9 0723343F 30987837 84E9760D FAA8C258 A6C86937 050665DE 2D64B16E
  32781812 B67DDB8C F1B876B6 F6A6C29E D5204B16 D866D14B 38016745 F84DA454
  BADE05E6 589BD411 DD1987DC 2DB7A39A C061272A CD41830B BD207167 2E36314B
  05016E5A 552C9D4E 99BCA384 30B999B0 D9F62DCA 4C3C5DE8 3CCE47A6 BCEE194A
  5EC92A11 694ED309 106DE78C 5B94AF18 6DA31986 32019EB3 6042F701 2374
        quit
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.2.1.1
ip dhcp excluded-address 10.4.1.1
ip dhcp excluded-address 10.54.1.1
ip dhcp excluded-address 10.80.1.1 10.80.1.4
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VLAN2
 network 10.2.1.0 255.255.255.192
 default-router 10.2.1.1
 dns-server 1.1.1.1 1.0.0.1
 domain-name ryantalevski.com
!
ip dhcp pool VLAN4
 network 10.4.1.0 255.255.255.240
 default-router 10.4.1.1
 dns-server 1.1.1.1 1.0.0.1
 domain-name ryantalevski.com
!
ip dhcp pool VLAN54
 network 10.54.1.0 255.255.255.240
 default-router 10.54.1.1
 dns-server 1.1.1.1 1.0.0.1
 domain-name ryantalevski.com
!
ip dhcp pool VLAN80
 network 10.80.1.0 255.255.255.248
 default-router 10.80.1.1
 dns-server 1.1.1.1 1.0.0.1
 domain-name ryantalevski.com
!
ip dhcp pool VLAN400
 network 192.168.1.0 255.255.255.192
 dns-server 1.1.1.1 1.0.0.1
 domain-name ryantalevski.com
 default-router 192.168.1.1
 lease 0 1
!
!
!
ip domain name ryantalevski.com
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip ddns update method ddns-noip
 HTTP
  add http://ryantalevski:xxxxxxxxxxxxxxxxxxx@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
 interval maximum 1 0 0 0
 interval minimum 0 0 1 0
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
domain
!
!
!
!
!
!
!
cts logging verbose
!
!
!
spanning-tree portfast bpduguard
vtp domain ryantalevski.com
vtp mode transparent
username ryant privilege 15 password 7 1126155401430A2C567A7A7C69
username admin privilege 15 password 7 14341B180F54
!
crypto vpn anyconnect flash:/webvpn/ sequence 1
!
!
!
!
!
controller VDSL 0
!
vlan 2
 name Data
!
vlan 4
 name Ryan's_WiFi
!
vlan 6
!
vlan 16
 name Domain
!
vlan 54
 name WiFi
!
vlan 80
 name AP_VLAN
!
vlan 254
 name Mgnt
!
vlan 400
 name Guest_Network
lldp run
!
pseudowire-class PIA_L2TP
 encapsulation l2tpv2
 ip local interface Dialer1
!
!
class-map type inspect match-any INSIDE-TO-OUTSIDE
  description Basic Internet Protocols
 match protocol tcp
 match protocol udp
 match protocol http
 match protocol https
 match protocol dns
 match protocol pop3
 match protocol imap
 match protocol smtp
class-map type inspect match-any OUTSIDE-TO-INSIDE
  description Traffic from the Public Internet
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
 class type inspect INSIDE-TO-OUTSIDE
  inspect
 class class-default
  drop log
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
 class type inspect OUTSIDE-TO-INSIDE
  pass
 class class-default
  drop log
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
 service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
 service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key mysafety address 89.238.154.163
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!
!
!
crypto map PIA_VPN 10 ipsec-isakmp
 set peer 89.238.154.163
 set transform-set ESP-AES256-SHA1
 match address PIA_LON_UK
!
!
!
!
!
!
interface Loopback0
 ip address 10.254.254.1 255.255.255.0
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface Ethernet0
 description BT_VDSL0
 no ip address
 ip virtual-reassembly in
 no ip route-cache
!
interface Ethernet0.101
 description 802.1Q Tagging for PPPOE VDSL0
 encapsulation dot1Q 101
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 switchport mode trunk
 no ip address
 ip access-group 100 in
!
interface GigabitEthernet1
 description Port
 switchport access vlan 2
 no ip address
 zone-member security INSIDE
 shutdown
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 storm-control action shutdown
 spanning-tree portfast
!
interface GigabitEthernet2
 description Port
 switchport access vlan 2
 no ip address
 zone-member security INSIDE
 shutdown
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 storm-control action shutdown
 spanning-tree portfast
!
interface GigabitEthernet3
 description Port
 switchport access vlan 2
 no ip address
 zone-member security INSIDE
 shutdown
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 storm-control action shutdown
 spanning-tree portfast
!
interface GigabitEthernet4
 description Port
 switchport access vlan 2
 no ip address
 zone-member security INSIDE
 shutdown
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 storm-control action shutdown
 spanning-tree portfast
!
interface GigabitEthernet5
 description Port
 switchport access vlan 2
 no ip address
 zone-member security INSIDE
 shutdown
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 storm-control action shutdown
 spanning-tree portfast
!
interface GigabitEthernet6
 description Port
 switchport access vlan 2
 no ip address
 zone-member security INSIDE
 shutdown
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 storm-control action shutdown
 spanning-tree portfast
!
interface GigabitEthernet7
 description Port
 switchport access vlan 2
 no ip address
 zone-member security INSIDE
 shutdown
 storm-control broadcast level 0.50
 storm-control multicast level 0.50
 storm-control action shutdown
 spanning-tree portfast
!
interface GigabitEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Virtual-PPP1
 description Tunnel to PIA London UK
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 ppp eap refuse
 ppp chap hostname p8759760
 ppp chap password 7 12120016081F283E10010C
 ppp ipcp address accept
 no cdp enable
 pseudowire 89.238.154.163 1 encapsulation l2tpv2 pw-class PIA_L2TP
 crypto map PIA_VPN
!
interface Virtual-Template1
 ip unnumbered Loopback0
!
interface Vlan1
 description VLAN1
 no ip address
 shutdown
!
interface Vlan2
 description Data VLAN
 ip address 10.2.1.1 255.255.255.192
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no ip route-cache cef
!
interface Vlan4
 description Ryan's WiFi VLAN
 ip address 10.4.1.1 255.255.255.240
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no ip route-cache cef
!
interface Vlan54
 description WiFi VLAN
 ip address 10.54.1.1 255.255.255.240
 ip access-group 198 in
 ip access-group 198 out
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no ip route-cache cef
!
interface Vlan80
 description AP VLAN
 ip address 10.80.1.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no ip route-cache cef
!
interface Vlan254
 description Mgnt VLAN
 ip address 10.254.1.240 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 no ip route-cache cef
!
interface Vlan400
 description Guest VLAN
 ip address 192.168.1.1 255.255.255.192
 ip access-group 199 in
 ip access-group 199 out
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 no ip route-cache cef
!
interface Dialer1
 description **BT FIBRE**
 ip ddns update hostname ryantalevski.ddns.net
 ip ddns update ddns-noip
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nbar protocol-discovery
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication pap chap ms-chap callin
 ppp chap hostname bthomehub@btbroadband.com
 ppp chap password 7 140713181F13253920
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
 crypto map PIA_VPN
!
ip local pool SSLVPN_POOL 192.168.10.1 192.168.10.99
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source list PIA_NAT interface Virtual-PPP1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh authentication-retries 2
ip ssh source-interface Vlan254
ip ssh version 2
!
ip access-list standard PIA_NAT
 permit 10.4.1.0 0.0.0.15
!
ip access-list extended PIA_LON_UK
 permit udp host 86.180.153.108 eq 1701 host 89.238.154.163 eq 1701
!
logging history debugging
dialer-list 1 protocol ip permit
!
access-list 1 remark -- Access Control to Public Internet --
access-list 1 permit 10.2.1.0 0.0.0.63
access-list 1 permit 10.4.1.0 0.0.0.15
access-list 1 permit 10.54.1.0 0.0.0.15
access-list 1 permit 10.80.1.0 0.0.0.7
access-list 1 permit 10.254.1.0 0.0.0.255
access-list 1 permit 172.16.1.0 0.0.0.15
access-list 1 permit 192.168.1.0 0.0.0.63
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 deny   any
access-list 4 remark -- SSH ACL --
access-list 4 permit 10.2.1.0 0.0.0.63
access-list 4 permit 10.4.1.0 0.0.0.15
access-list 4 permit 10.254.1.0 0.0.0.255
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 4 deny   any
access-list 100 deny   tcp any host 10.2.1.1 eq 22
access-list 100 deny   tcp any host 10.4.1.1 eq 22
access-list 100 deny   tcp any host 10.16.1.14 eq 22
access-list 100 deny   tcp any host 10.54.1.1 eq 22
access-list 100 deny   tcp any host 10.80.1.1 eq 22
access-list 100 permit ip any any
access-list 198 remark -- WiFi Restriction --
access-list 198 permit ip any 10.54.1.0 0.0.0.15
access-list 198 deny   ip any 10.0.0.0 0.255.255.255
access-list 198 deny   ip any 172.16.0.0 0.0.255.255
access-list 198 deny   ip any 192.168.0.0 0.0.255.255
access-list 198 permit ip any any
access-list 199 remark -- Restriction --
access-list 199 permit ip any 192.168.1.0 0.0.0.63
access-list 199 deny   ip any 10.0.0.0 0.255.255.255
access-list 199 deny   ip any 172.16.0.0 0.0.255.255
access-list 199 deny   ip any 192.168.0.0 0.0.255.255
access-list 199 permit ip any any
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
 vstack
banner exec ^C
Please check that you are on the correct switch:
        Switch Name     : SW-Rtr_Core_897-1
        Site Name       : Home


^C
banner motd ^C
********************************************************************************
*               UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED               *
*     You must have explicit, authorized permission to access or configure     *
*                                 this device.                                 *
* Unauthorized attempts and actions to access or use this system may result in *
*                       civil and/or criminal penalties.                       *
*      All activities performed on this device are logged and monitored.       *
*                                                                              *
*                          Property of xxxxxxxxxxxxx                           *
********************************************************************************
^C
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 access-class 4 in
 logging synchronous
 transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server pool.ntp.org
!
!
!
!
webvpn gateway SSLVPN_GATEWAY
 ip interface Dialer1 port 443
 http-redirect port 80
 ssl trustpoint SSLVPN_CERT
 inservice
 !
webvpn context SSL_CONTEXT
 title "ryantalevski.com_SSLVPN"
 virtual-template 1
 aaa authentication list SSLVPN_AAA
 gateway SSLVPN_GATEWAY
 ca trustpoint SSLVPN_CERT
 !
 ssl authenticate verify all
 inservice
 !
 policy group SSL_POLICY
   functions svc-enabled
   svc address-pool "SSLVPN_POOL" netmask 255.255.255.0
   svc default-domain ""
   svc dns-server primary 1.1.1.1
   svc dns-server secondary 1.0.0.1
   hide-url-bar
 default-group-policy SSL_POLICY
!
end

SW-Rtr_Core_897-1#

ryantalevski · ‎10-29-2018

I have resolved my issue.

Turns out it was a username and password issue.

To correct this I had to log into my PIA account and generate an username and password for L2TP connections.