Re: Configuring L2TP Client with No IPSEC/IKE on a ISR1100

sabu123 · ‎02-28-2023

Hi

Hoping someone can help.

I have an ISR 1100 and would like to connect it as an L2TP client with no IPSEC no encryption. I have seen various posts but most are for IKE/IPSEC.

I'm struggling to configure the tunnel in terminal, some of the examples I have seen suggest using virtual-ppp but when I try to enter the menu I get "invalid input detected"

I don't need it to route traffic over the L2TP, this is purely for testing that the router can authenticate with the LNS.

Any help is appreciated, the tunnel config is as follows: username: test password: test IP address of LNS: 10.20.1.2 CHAP or PAP

Thank you

MHM Cisco World · ‎02-28-2023

virtual-ppp is for mutilink PPP
here you have l2tp so you need virtual-template not virtual-ppp

sabu123 · ‎02-28-2023

Hi

Thanks for your message, I noticed there are PPP options under the Virtual-Template option so I added the UN and PWD there but cannot work out where I put the IP address? I have searched for an example but I cannot find one.

Any help is appreciated!

Thank you

sabu123 · ‎02-28-2023

Hi

I have successfully built the L2TP client on a mikrotik router and works fine. I'm a bit disappointed that Cisco doesn't support l2tp without ipsec. Or at least no one I've spoken to on the forum or outside of it knows how to configure it. I honestly thought that Cisco would support such a simple tunnel protocol like l2tp. Looks like we will be using mikrotik then.

Thanks anyway

MHM Cisco World · ‎02-28-2023

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec - Cisco

check this example

sabu123 · ‎02-28-2023

Hi

I have seen the example already but that is for IKE and I am just after no IKE no IPSEC no Crypto just a simple L2TP tunnel. I'm beginning to wonder if it is even possible in Cisco

Thanks

MHM Cisco World · ‎02-28-2023

crypto map l2tpmap

use same config just remove the config of IPsec.
that it

sabu123 · ‎02-28-2023

Hi

I thought that's what I had done maybe I have set it up wrong:

Current configuration : 1385 bytes
!
upgrade fpd auto
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$/7mK$LNkfrxiV8osESh.zVmB5x0
!
no aaa new-model
ip source-route
ip cef
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 request-dialout
  protocol l2tp
 initiate-to ip 10.20.1.2
 source-ip 192.168.0.75
 local name test
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 $1$l0w2$36PMwNPqpshleIgGqYJOT.
username test password 0 test1234
archive
 log config
  hidekeys
! 
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/1
 ip dhcp client hostname CISCO
 ip address dhcp
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 101 permit udp host 192.168.0.75 eq 1701 host 10.20.1.2 eq 1701
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
 transport input telnet
!
end

Thanks

sabu123 · ‎03-01-2023

Hi

I have spent all day on fiverr had 5 people give me 5 answers how this is done, and yet none of them work. Please can someone confirm if Cisco supports L2TP?

Up to now no one has managed to supply an answer or working config so I am considering alternative vendors as Cisco cannot support L2TP then I am massively disappointed. 3 People all with acronyms like CCNA after their names cannot make a L2TP binding but they did offer to do various courses for me which was nice but not necessary.

What a disappointment, everyone tells me how good Cisco is but with a 6 figure budget to spend I dont think I'll waste our money.

MHM Cisco World · ‎03-01-2023

Hi friend,
first keep Cool
Now
the router ISR use VPDN and build L2TP between LAC and LNS with two case
1- it have PPPoE client
2- it have dialup client

the example I share before is dialup client which force the LAC to build L2TP to LNS

NOW
if the LAC dont have any then you dont need VPDN instead it can use L2tpv3

I can not run dailup in Lab but I can easy run PPPoE with L2tp

- LNS L2TP termination of PPPoE sessions with FreeRADIUS 2 (53bits.co.uk)

so your router ISR represent what LAC or LNS ?

sabu123 · ‎03-01-2023

Hi

Thanks for you message but there is no LAC. There is no PPPoE.

This is really basic. It is simply an L2TP tunnel with the Cisco configured as a L2TP client. This is not a broadband ISP network, it is not an XDSL network. It is simple, very very simple L2TP client binding. So simple it works with 1 command in Mikrotik:

/interface l2tp-client
add connect-to=10.20.1.2 name=l2tp-out1 password=test1234 user=test

Hence, I will buy Mikrotik because Cisco cannot do this 1 simple job.

Thanks

MHM Cisco World · ‎03-01-2023

OK, Now we both reach same point, you run Router as L2TP Client ?
what is the L2TP Server ??

sabu123 · ‎03-01-2023

Hi

The LNS or L2TP server is Mikrotik. I have confirmed this is working correctly, if I use the Mikrotik command above on a Mikrotik Client router it connects instantly.

The problem is with Cisco or the config. I have sniffed every packet leaving the Cisco it never tries to connect to the LNS. Not 1 packet has ever left the router on port 1701 or any packet destined for 10.20.1.2 or any packet UDP I have sniffed and Wiresharked that port. It does nothing to even attempt to connect with the Cisco configuration I pasted a few messages back. So that would point to a bad config.

Everyone keeps mentioning LAC and PPPoE and don't seem to realise that L2TP is also used outside of Broadband networks like for VPNs which makes me think the Cisco is not capable of doing it. Maybe Cisco can only act as either LAC or LNS but not a simple L2TP client. Thats fine, if I know that I can bin the Cisco and buy Mikrotik to replace it.

Thanks

MHM Cisco World · ‎03-01-2023

just finally try the config below and check again.

MHM Cisco World · ‎03-01-2023


interface FastEthernet0/0
 ip address x.x.x.x 
!
! Define the psuedowire class that will speak L2TP and the source interface. 
!
pseudowire-class L2TP_PW
 encapsulation l2tpv2
 ip local interface FastEthernet0/0
!
! Create Virtual-PPP interface to bind the psuedowire class to. 
!
interface Virtual-PPP1
 description L2TP Tunnel
 ip address negotiated
 ppp chap hostname *User Name*
 ppp chap password *Password*
 ppp ipcp address accept
 pseudowire <serverIP> 1 pw-class L2TP_PW

that it I think
and above is not VPDN it simply L2tpv3 make router run as l2tp client

try config above and check.