cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
981
Views
10
Helpful
2
Replies

900 ISR L2TP VPN connection setup

T0mTheCat
Level 1
Level 1

Hi,

 

i am trying to create a L2TP VPN connection for user to remote connection back to office.

 

can i set ip unnumbered GigabitEthernet5 ?
can I set in this way? or I have to create the loopback?

i am not sure which ip route i should create.

 

please advise.

 

much appreciated!

********************************************************************************

Building configuration...


Current configuration : 4712 bytes
!
! Last configuration change at 12:36:11 UTC Thu May 27 2021 by admin
!
version 15.8
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ZdLb$ZJXeo6.uhSrH0xzzwGsV..
!
aaa new-model
!
!
aaa authentication login avitavpn local
aaa authentication ppp VPDN_AUTH local
aaa authorization network default local
aaa authorization network avitanet local
!
!
!
!
!
!
aaa session-id common
memory-size iomem 25
clock timezone UTC 8 0
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.50
ip dhcp excluded-address 192.168.2.98 192.168.2.101
!
ip dhcp pool pool1
import all
network 192.168.2.0 255.255.255.0
dns-server 165.21.83.88 165.21.100.88 8.8.8.8
default-router 192.168.2.1
!
!
!
ip domain lookup source-interface GigabitEthernet5
ip domain name avitasg.webhop.org
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ddns update method dyndns
HTTP
add https://xxx@members.dyndns.org/v3/update?hostname=avitasg.webhop.org&myip=192.168.2.1
interval minimum 0 12 0 0
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group g-l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
license udi pid C921-4P sn xxx
license accept end user agreement
license boot module c900 technology-package securityk9
!
!
username admin secret 5 $1$H.hT$XUDCemW8m6XcAz5ofvJFx/
username avita password 0 xxx
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-md5-hmac
mode transport
!
!
!
crypto dynamic-map avita 1
set nat demux
set transform-set avita
!
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic avita
!
!
!
!
!
interface GigabitEthernet0
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet1
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet2
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet3
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet5
ip ddns update hostname avitasg.webhop.org
ip ddns update dyndns
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet5
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
interface Vlan250
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool l2tp-pool 10.10.10.10 10.10.10.15
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet5 overload
ip nat inside source static tcp 192.168.2.200 9999 interface GigabitEthernet5 9999
ip nat inside source static tcp 192.168.2.200 81 interface GigabitEthernet5 81
ip nat inside source static tcp 192.168.2.200 8000 interface GigabitEthernet5 8000
ip nat inside source static tcp 192.168.2.99 445 interface GigabitEthernet5 445
ip nat inside source static udp 192.168.2.99 137 interface GigabitEthernet5 137
ip nat inside source static udp 192.168.2.99 138 interface GigabitEthernet5 138
ip nat inside source static tcp 192.168.2.99 139 interface GigabitEthernet5 139
ip nat inside source static tcp 192.168.2.99 465 interface GigabitEthernet5 465
ip nat inside source static tcp 192.168.2.61 3389 interface GigabitEthernet5 3389
ip nat inside source static udp 192.168.2.99 1701 interface GigabitEthernet5 1701
ip nat inside source static udp 192.168.2.99 500 interface GigabitEthernet5 500
ip nat inside source static udp 192.168.2.99 4500 interface GigabitEthernet5 4500
ip nat inside source static udp 192.168.2.99 1194 interface GigabitEthernet5 1194
ip nat inside source static tcp 192.168.2.99 137 interface GigabitEthernet5 137
ip nat inside source static tcp 192.168.2.99 138 interface GigabitEthernet5 138
ip nat inside source static tcp 192.168.2.99 5001 interface GigabitEthernet5 5001
ip route 0.0.0.0 0.0.0.0 GigabitEthernet5
ip route 0.0.0.0 0.0.0.0 GigabitEthernet5 dhcp
!
!
!
snmp-server group snmpv3grp v3 auth
access-list 1 permit 192.168.2.0 0.0.0.255

 

 

1 Accepted Solution

Accepted Solutions

Hello,

 

use the loopback. You don't need any routing, as IPCP will automatically add the route(s):

 

--> interface Loopback1
--> description VPN L2TP
--> ip address 192.168.2.100
!
interface Virtual-Template1
ip unnumbered GigabitEthernet5
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH

View solution in original post

2 Replies 2

Hello,

 

use the loopback. You don't need any routing, as IPCP will automatically add the route(s):

 

--> interface Loopback1
--> description VPN L2TP
--> ip address 192.168.2.100
!
interface Virtual-Template1
ip unnumbered GigabitEthernet5
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH

Hi Georg!

 

Thank you for your reply!

 

I followed your command, however i got some question.

 

R1(config)#interface loopback1
R1(config-if)#desc
R1(config-if)#description VPN L2TP

R1(config-if)#ip address 192.168.2.15 255.255.255.0
% 192.168.2.0 overlaps with Vlan250
R1(config-if)#ip address 192.168.2.100
% Incomplete command.

 

If i use different ip address range will the remote device unable to detect local network?

 

Thank you.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco