Re: L2TP acces problem os cisco CISCO1941/K9

pmartinez4191 · ‎03-30-2020

Hi everyone,

I am having trouble setting up a l2tp access VPN on a Cisco 1900. The vpn goes up correctly, I can ping local router interfaces, but I cannot access LAN.

I have the same configuration on a 1800 router working properly.

vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
no l2tp tunnel authentication

crypto ipsec transform-set L2TP esp-3des esp-sha-hmac
mode transport

crypto dynamic-map L2TP-MAP 11
set nat demux
set transform-set L2TP

crypto map VPN-CRYPTO 11 ipsec-isakmp dynamic L2TP-MAP

interface Loopback100
ip address 192.168.202.254 255.255.255.0

,

interface Virtual-Template2
ip unnumbered Loopback100
zone-member security inside
peer default ip address pool L2TP-POOL
ppp authentication ms-chap-v2
!

ip local pool L2TP-POOL 192.168.202.10 192.168.202.200

Then, I have applied the crypto map to Dialer Interface

RO-AJ#show crypto ipsec sa peer XXX

interface: Dialer1
Crypto map tag: VPN-CRYPTO, local addr x.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/17/4500)
current_peer x.x.x.x port 4500
PERMIT, flags={}
#pkts encaps: 657, #pkts encrypt: 657, #pkts digest: 657
#pkts decaps: 6832, #pkts decrypt: 6832, #pkts verify: 6832
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x remote crypto endpt.: x.x.x.x
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x70BE3D4C(1891515724)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDF6D1B42(3748469570)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 3543, flow_id: Onboard VPN:1543, sibling_flags 80000000, crypto map: VPN-CRYPTO
sa timing: remaining key lifetime (k/sec): (227299/1433)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x70BE3D4C(1891515724)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 3544, flow_id: Onboard VPN:1544, sibling_flags 80000000, crypto map: VPN-CRYPTO
sa timing: remaining key lifetime (k/sec): (227669/1433)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Could someone tell me what I'm doing wrong? Thanks in advance.

Cristian Matei · ‎03-30-2020

Hi,

Do you have Zone Based Policy Firewall configured? If yes, can you post the config? If not, remove this command from the Virtual-Template interface: "no zone-member security inside" and see if it works. If it doesn't can you post the full config?

Regards,

Cristian Matei.

pmartinez4191 · ‎03-30-2020

Yes, I have configured a zone based policy Firewall configured,

But I put the virtual template in the same zone as the lan interface, so if I enter "no zone-member security inside" command under the virtual-template configuraciton I'm sure won't work proppertly, because the traffic will come from "no zone interface" to another "interface zone", and I think that's not permited

In any case, I attach the configuration file. I have omitted information for security reasons.

Cristian Matei · ‎03-30-2020

Hi,

Once connected via the VPN you'll be attached to the "inside zone". Which zones you're trying to reach and it doesn't work? Neither does access to the "inside" zone work? I see you have this ACL "ACCESS-VPN-TO-LAN" which is not applied.

Regards,

Cristian Matei.

pmartinez4191 · ‎03-30-2020

Hello,

I'm trying to acces to "inside zone", and doesn't wok.

The access-list ACCESS-VPN-TO-LAN is designed for limit the traffic to lan from vpn-clients.

But is no applied yet, until the VPN works proppertly.