Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2840
Views
0
Helpful
6
Replies

ISR4331. L2TP IPSec VPN . Unable to access remote network

Assid
Level 1
Level 1

‎11-18-2018 10:32 AM - edited ‎03-05-2019 11:03 AM

Hi,

I try to provide remote VPN access to office via L2TP/IPSec with embedded Windows client. The tunnel set successfully but I cannot reach remote network. No ping of remote hosts. Seems like no routing between Virtual-Access and LAN interfaces.

sh run:

!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
description VPDN_L2TP_GROUP
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
ip pmtu
ip mtu adjust

license accept end user agreement
license boot level appxk9
license boot level uck9
license boot level securityk9
file privilege 0
diagnostic bootup level minimal
spanning-tree extend system-id
!
crypto keyring KEYRING_L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key <key>
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp profile L2TP
keyring KEYRING_L2TP
match identity address 0.0.0.0
!
!
crypto ipsec transform-set L2TP_TSET1 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP_TSET2 esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP_TSET3 esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map L2TP_DMAP 1000
set transform-set L2TP_TSET1 L2TP_TSET2
set isakmp-profile L2TP

set nat demux
reverse-route
!
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic L2TP_DMAP
!
interface Loopback0
ip address 192.168.168.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description -=WAN=-
ip address X.X.X.250 255.255.255.248
no ip redirects
negotiation auto
no cdp enable
crypto map CRYPTO_MAP
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description -=LAN=-
ip address 192.168.8.11 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.8.4 255.255.255.0
negotiation auto
!
interface Virtual-Template1
description L2TP_VIF
ip unnumbered Loopback0
peer default ip address pool L2TP_ADDR_POOL
keepalive 5
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.8.33
ip virtual-reassembly
!
interface Virtual-Access2
mtu 1460
!
ip local pool L2TP_ADDR_POOL 192.168.168.10 192.168.168.100
ip default-gateway X.X.X.249
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 X.X.X.249

 

Where I was wrong?

I'd appreciate your help. Thank you in advanced!

 

1 person had this problem
Labels:
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎11-18-2018 11:06 AM

Hello,

 

I think you are missing the NAT part. I have made some changes to your config (marked in bold):

 

sh run:

!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
description VPDN_L2TP_GROUP
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
ip pmtu
ip mtu adjust
!
license accept end user agreement
license boot level appxk9
license boot level uck9
license boot level securityk9
file privilege 0
diagnostic bootup level minimal
spanning-tree extend system-id
!
crypto keyring KEYRING_L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key <key>
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
!
crypto isakmp profile L2TP
keyring KEYRING_L2TP
match identity address 0.0.0.0
!
crypto ipsec transform-set L2TP_TSET1 esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP_TSET2 esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP_TSET3 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map L2TP_DMAP 1000
set transform-set L2TP_TSET1 L2TP_TSET2
set isakmp-profile L2TP
reverse-route
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic L2TP_DMAP
!
interface Loopback0
ip address 192.168.168.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description -=WAN=-
ip address X.X.X.250 255.255.255.248
ip nat outside
no ip redirects
negotiation auto
no cdp enable
crypto map CRYPTO_MAP
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description -=LAN=-
ip address 192.168.8.11 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.8.4 255.255.255.0
negotiation auto
!
interface Virtual-Template1
description L2TP_VIF
ip unnumbered GigabitEthernet0/0/0
ip nat inside
peer default ip address pool L2TP_ADDR_POOL
keepalive 5
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.8.33
ip virtual-reassembly
!
interface Virtual-Access2
mtu 1460
!
ip local pool L2TP_ADDR_POOL 192.168.168.10 192.168.168.100
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
--> no ip default-gateway X.X.X.249
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 X.X.X.249

!

access-list 1 permit 192.168.168.0

0 Helpful

Assid
Level 1
Level 1
In response to Georg Pauwen

‎11-18-2018 01:58 PM

Thank you George,

NAT has been removed by me cause I thought that it's the reason of. 

Licences features:

Feature name Enforcement Evaluation Subscription Enabled RightToUse
appxk9                 yes    yes    no    yes    yes
uck9                     yes    yes    no    yes    yes
securityk9             yes    yes    no    yes    yes
ipbasek9               no     no     no    yes    no
FoundationSuiteK9 yes   yes    no    no     yes
AdvUCSuiteK9       yes   yes    no    no     yes
cme-srst               yes   yes    no    no     yes
hseck9                  yes    no     no    no    no
throughput            yes    yes    no    yes   yes
internal_service    yes     no     no    no     no

 

There are some differences between NAT configuration that I set before and yours concerning to 'no ip default-gateway' command and subnet in 'access-list'.  My NAT set doesn't work with L2TP. I'll try to implement your proposal soon.

0 Helpful

Georg Pauwen
VIP
VIP
In response to Assid

‎11-18-2018 02:02 PM

Hello,

 

since you have a default route, you don't need the default gateway.

 

Curious to know if the revised config works...

0 Helpful

Assid
Level 1
Level 1
In response to Georg Pauwen

‎11-18-2018 03:01 PM - edited ‎11-18-2018 03:07 PM

Output of show license feature command you can see above. K9 lics are activated and have 'In-use' state. 

I've implemented your NAT config.... but the same problem haunts me again. No access to remote subnet.

I can't ping router's LAN interface even. There is no route in Windows as I can see. If so, I can add it:

route add 192.168.8.0 mask 255.255.255.0 192.168.168.X

OK, LAN interface is accessible now, but not hosts in remote network. I checked its default-gateway and it pointed to router's LAN interface as it should be. 

I have no idea why it works this way.

0 Helpful

Georg Pauwen
VIP
VIP

‎11-18-2018 11:07 AM

Also, post the output of 'show license feature'...

0 Helpful

Assid
Level 1
Level 1
In response to Georg Pauwen

‎11-22-2018 05:18 AM

Reason: Switch behind Router has default gateway only. Route should be set to Router.

Cisco switch "ip default-gateway" command is default gateway for the switch only, not traffic passing through the switch.

If you would need to route traffic for the switch (cisco switch normally), you would need to add "ip route 0.0.0.0 0.0.0.0 192.168.8.11" in my case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card