Hi Balaji,

I did not see that line, however i use window 10 vpn connection unable to went thru at "verification"

any idea?

R1(config)#crypto map avitanet 1 ipsec-isakmp dynamic avita
R1(config)#int
R1(config)#interface gig5
R1(config-if)#cry
R1(config-if)#crypto ma
R1(config-if)#crypto map avitanet
R1(config-if)#
R1(config-if)#exit
R1(config)#exit
R1#

Hi Balaji,

*window 10 vpn connection unable to went thru at "verification"

Sorry the error earlier it was a mistake, i forgot to disconnect my vpn to my synology NAS, please ignore

Yes the router exposed to internet, user should be just using their own internet, and getting DHCP for VPN connection

Sorry, how do I get the debug enable?

Now I get below error instead

Building configuration...

Current configuration : 4734 bytes
!
! Last configuration change at 13:46:59 UTC Mon May 24 2021 by admin
!
version 15.8
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$ZdLb$ZJ
!
aaa new-model
!
!
aaa authentication login avitavpn local
aaa authorization network default local
aaa authorization network avitanet local
!
!
!
!
!
!
aaa session-id common
memory-size iomem 25
clock timezone UTC 8 0
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.50
ip dhcp excluded-address 192.168.2.98 192.168.2.101
!
ip dhcp pool pool1
import all
network 192.168.2.0 255.255.255.0
dns-server 165.21.83.88 165.21.100.88 8.8.8.8
default-router 192.168.2.1
!
!
!
ip domain lookup source-interface GigabitEthernet5
ip domain name avitasg.webhop.org
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ddns update method dyndns

!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group g-l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
license udi pid C921-4P sn
license accept end user agreement
license boot module c900 technology-package securityk9
!
!
username admin secret 5 $1$H.hT$XUDCemW
username avita password 0 xxx
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key xxx address 0.0.0.0
!
crypto isakmp client configuration group avitaWFH
key xxx
pool avita
!
!
crypto ipsec transform-set avita esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map avita 1
set nat demux
set transform-set avita
!
!
!
!
crypto map avitaWFH 65535 ipsec-isakmp dynamic avita
!
!
!
!
!
!
interface GigabitEthernet0
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet1
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet2
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet3
switchport access vlan 250
switchport mode access
no ip address
!
interface GigabitEthernet4
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet5
ip ddns update hostname avitasg.webhop.org
ip ddns update dyndns
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map avitaWFH
!
interface Virtual-Template1
ip unnumbered GigabitEthernet5
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2
!
interface Vlan1
no ip address
!
interface Vlan250
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool l2tp-pool 10.10.10.10 10.10.10.15
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet5 overload
ip nat inside source static tcp 192.168.2.200 9999 interface GigabitEthernet5 9999
ip nat inside source static tcp 192.168.2.200 81 interface GigabitEthernet5 81
ip nat inside source static tcp 192.168.2.200 8000 interface GigabitEthernet5 8000
ip nat inside source static tcp 192.168.2.99 445 interface GigabitEthernet5 445
ip nat inside source static udp 192.168.2.99 137 interface GigabitEthernet5 137
ip nat inside source static udp 192.168.2.99 138 interface GigabitEthernet5 138
ip nat inside source static tcp 192.168.2.99 139 interface GigabitEthernet5 139
ip nat inside source static tcp 192.168.2.99 465 interface GigabitEthernet5 465
ip nat inside source static tcp 192.168.2.61 3389 interface GigabitEthernet5 3389
ip nat inside source static udp 192.168.2.99 1701 interface GigabitEthernet5 1701
ip nat inside source static udp 192.168.2.99 500 interface GigabitEthernet5 500
ip nat inside source static udp 192.168.2.99 4500 interface GigabitEthernet5 4500
ip nat inside source static udp 192.168.2.99 1194 interface GigabitEthernet5 1194
ip nat inside source static tcp 192.168.2.99 137 interface GigabitEthernet5 137
ip nat inside source static tcp 192.168.2.99 138 interface GigabitEthernet5 138
ip nat inside source static tcp 192.168.2.99 5001 interface GigabitEthernet5 5001
ip route 0.0.0.0 0.0.0.0 GigabitEthernet5 dhcp
!
!
!
snmp-server group snmpv3grp v3 auth
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
password avita0108
line vty 0 4
password avita0108
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
!
end

First we need to check make sure the request passing your Internet FW and reaching the Router ?

run debug - debug ppp negotiation 

https://www.cisco.com/c/en/us/support/docs/dial-access/virtual-private-dialup-network-vpdn/20980-vpdn-20980.html

Hi Balaji,

We do not have a firewall

R1#debug ppp negotiation
PPP protocol negotiation debugging is on

Much appreciate your help! =D

We do not have a firewall

then how is this device exposed to Internet, i was only advising to check is the Packets or traffic allowed inside to this router  First before we get on other issues.

Hi Balaji,

There is a modem connected directly to gig5 port to the internet, yes, local network and internet inside is all working fine.

Thank you.

There is a modem connected directly to gig5 port to the internet,

is this ISP Modem ? is this have feature to port-forward outside to inside settings ?

Internet work inside to outside, the concern here outside to inside ?  enable debug and test client see any incoming connections ?

Hi Balaji,

Thank you for your prompt respond, yes is a Fibre Optics ONT ISP modem, however this modem is configured only for DHCP Public IP.

I do not think there is any port forward or setting be done there.

I believe debug is enable, how to test client incoming connection?

Thank you.

if it connected to ONT, then your device need to act as Router make Port-forward for the L2TP connection.

is the DHCP from provide is Public IP address ? which is assinged to your router

can you post show ip interface brief and show ip route

Hi Balaji,

*is the DHCP from provide is Public IP address ? which is assinged to your router*

Yes, you are right

R1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0 unassigned YES unset up up
GigabitEthernet1 unassigned YES unset up up
GigabitEthernet2 unassigned YES unset up up
GigabitEthernet3 unassigned YES unset down down
GigabitEthernet4 unassigned YES NVRAM administratively down down
GigabitEthernet5 128.106.149.52 YES DHCP up up
NVI0 unassigned YES unset up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 128.106.149.52 YES unset down down
Vlan1 unassigned YES unset down down
Vlan250 192.168.2.1 YES NVRAM up up

R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 128.106.149.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 128.106.149.254, GigabitEthernet5
128.106.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 128.106.149.0/24 is directly connected, GigabitEthernet5
L 128.106.149.52/32 is directly connected, GigabitEthernet5
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, Vlan250
L 192.168.2.1/32 is directly connected, Vlan250

please advise what will be the port forward command?

thank you.

In  this you do not need any port forward, since the router directly connected to Internet.  ( from Internet are you able to ping your Public side IP address?)

i see couple of issue with config - authenticaiton and other stuff (i may be outside can not check line by line to confirm)

use below exact document for your setup to work :

https://community.cisco.com/t5/security-documents/l2tp-over-ipsec-on-cisco-ios-router-using-windows-8/ta-p/3142831

Hi Balaji,

In  this you do not need any port forward, since the router directly connected to Internet.  ( from Internet are you able to ping your Public side IP address?)

yes, able to ping

Any idea why "hash sha" never show up but "hash md5" do?

show run -

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2