Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4452
Views
0
Helpful
4
Replies

l2tp/ipsec vpn tunnel between cisco routers

lishniy
Level 1
Level 1

‎10-30-2018 02:36 AM - edited ‎03-05-2019 11:01 AM

Hi. I'm newbie with cisco. Tried connect cisco 1811 and cisco 881.

Снимок.PNG

cisco 1811 as server config

no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname cisco-m1
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 5 log
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp VPDN_AUTH local
    !
    aaa session-id common
    no ip source-route
    ip cef
    !
    !
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.33.1 192.168.33.10
    !
    ip dhcp pool LAN
       import all
       network 192.168.33.0 255.255.255.0
       default-router 192.168.33.1
       dns-server 192.168.33.1
    !
    !
    no ip bootp server
    ip domain name wizard
    ip name-server 8.8.8.8
    ip name-server 77.88.8.8
    ip name-server 1.1.1.1
    vpdn enable
    !
    vpdn-group L2TP
    ! Default L2TP VPDN group
     accept-dialin
      protocol l2tp
      virtual-template 1
     no l2tp tunnel authentication
    !
    !
    !
    !
    username admin privilege 15 secret 5 $1$8PXC$3QykP9PmpxrrieYXH33Hz/
    username office privilege 15 password 7 06573E735B1D0C58
    !
    !
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    !
    !
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
     lifetime 3600
    crypto isakmp key SuperKolobok address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set L2TP-Set esp-3des esp-sha-hmac
     mode transport
    !
    crypto dynamic-map dyn-map 10
     set nat demux
     set transform-set L2TP-Set
    !
    !
    crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
    !
    !
    !
    interface FastEthernet0/0
     description === Internet ===
     ip address dhcp
     no ip redirects
     no ip proxy-arp
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
     no cdp enable
     crypto map outside_map
    !
    interface FastEthernet0/1
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    interface FastEthernet0/0/0
    !
    interface FastEthernet0/0/1
    !
    interface FastEthernet0/0/2
    !
    interface FastEthernet0/0/3
    !
    interface Virtual-Template1
     ip unnumbered FastEthernet0/0
     peer default ip address pool my_pool
     ppp authentication ms-chap-v2 VPDN_AUTH
    !
    interface Vlan1
     description === LAN ===
     ip address 192.168.33.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    !
    ip local pool my_pool 192.168.38.10 192.168.38.200
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list 15 interface FastEthernet0/0 overload
    ip dns server
    !
    ip access-list extended FIREWALL
     permit tcp any any eq 22
    !
    access-list 15 permit 192.168.33.0 0.0.0.255
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     access-class 23 in
     exec-timeout 60 0
     privilege level 15
     logging synchronous
     transport input telnet ssh
    !
    scheduler allocate 20000 1000
    end

I can connect from windows to this router.

And second client config

no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname cisco
    !
    boot-start-marker
    boot-end-marker
    !
    !
    security authentication failure rate 5 log
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    !
    !
    !
    !
    !
    aaa session-id common
    !
    memory-size iomem 10
    crypto pki token default removal timeout 0
    !
    !
    no ip source-route
    !
    !
    !
    ip dhcp excluded-address 192.168.81.1
    !
    ip dhcp pool LAN
     import all
     network 192.168.81.0 255.255.255.0
     default-router 192.168.81.1
     dns-server 192.168.81.1
    !
    !
    ip cef
    no ip bootp server
    ip domain name wizard
    ip name-server 8.8.8.8
    ip name-server 77.88.8.8
    ip name-server 1.1.1.1
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    license udi pid CISCO881-SEC-K9 sn xxxxxx
    !
    !
    username admin privilege 15 secret 4 cJEHTWJcGi7nngW/tDdtmTd.aBJYqGTk5zlVP3d4Nbc
    !
    !
    !
    !
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    pseudowire-class class1
     encapsulation l2tpv2
     ip local interface FastEthernet4
    !
    !
    !
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
     lifetime 3600
    crypto isakmp key SuperKolobok address 192.168.30.37
    !
    !
    crypto ipsec transform-set L2TP-Set esp-3des esp-sha-hmac
     mode transport
    !
    crypto dynamic-map dyn-map 10
     set peer 192.168.30.37
     set transform-set L2TP-Set
    !
    !
    crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
    !
    !
    !
    !
    !
    interface FastEthernet0
     no ip address
    !
    interface FastEthernet1
     no ip address
    !
    interface FastEthernet2
     no ip address
    !
    interface FastEthernet3
     no ip address
    !
    interface FastEthernet4
     description === Internet ===
     ip address dhcp
     no ip redirects
     no ip proxy-arp
     ip nat outside
     no ip virtual-reassembly in
     duplex auto
     speed auto
     no cdp enable
     crypto map outside_map
    !
    interface Virtual-PPP1
     description -= VPN L2TP client =-
     ip address negotiated
     ip nat outside
     ip virtual-reassembly in
     ppp authentication ms-chap-v2 callin
     ppp chap hostname office
     ppp chap password 7 06573E735B1D0C58
     ppp ipcp address accept
     no cdp enable
     pseudowire 192.168.30.37 1 pw-class class1
    !
    interface Vlan1
     description === LAN ===
     ip address 192.168.81.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    ip nat inside source list 15 interface FastEthernet4 overload
    ip route 192.168.38.0 255.255.255.0 Virtual-PPP1
    ip route 0.0.0.0 0.0.0.0 dhcp
    !
    access-list 15 permit 192.168.81.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     access-class 23 in
     exec-timeout 60 0
     privilege level 15
     logging synchronous
     transport input telnet ssh
    !
    ntp update-calendar
    ntp server 0.pool.ntp.org
    ntp server ntp2.stratum2.ru
    end

And there is a problem. vpn doest't work

 Oct 30 08:21:44.852: PPP: Alloc Context [85E560DC]
    Oct 30 08:21:44.852: ppp5 PPP: Phase is ESTABLISHING
    Oct 30 08:21:44.852: Vp1 PPP: Using default call direction
    Oct 30 08:21:44.856: Vp1 PPP: Treating connection as a dedicated line
    Oct 30 08:21:44.856: Vp1 PPP: Session handle[2F000001] Session id[5]
    Oct 30 08:21:44.856: Vp1 LCP: Event[OPEN] State[Initial to Starting]
    Oct 30 08:21:44.856: Vp1 LCP: O CONFREQ [Starting] id 1 len 15
    Oct 30 08:21:44.856: Vp1 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
    Oct 30 08:21:44.856: Vp1 LCP:    MagicNumber 0xF2CF7208 (0x0506F2CF7208)
    Oct 30 08:21:44.856: Vp1 LCP: Event[UP] State[Starting to REQsent]d
    Oct 30 08:21:46.852: Vp1 LCP: O CONFREQ [REQsent] id 2 len 15
    Oct 30 08:21:46.852: Vp1 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
    Oct 30 08:21:46.852: Vp1 LCP:    MagicNumber 0xF2CF7208 (0x0506F2CF7208)
    Oct 30 08:21:46.852: Vp1 LCP: Event[Timeout+] State[REQsent to REQsent]
    Oct 30 08:21:46.852: Vp1 LCP: I CONFREQ [REQsent] id 1 len 15
    Oct 30 08:21:46.852: Vp1 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
    Oct 30 08:21:46.852: Vp1 LCP:    MagicNumber 0x225F17AF (0x0506225F17AF)
    Oct 30 08:21:46.852: Vp1 LCP: O CONFACK [REQsent] id 1 len 15
    Oct 30 08:21:46.852: Vp1 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
    Oct 30 08:21:46.852: Vp1 LCP:    MagicNumber 0x225F17AF (0x0506225F17AF)
    Oct 30 08:21:46.852: Vp1 LCP: Event[Receive ConfReq+] State[REQsent to ACKsent]
    Oct 30 08:21:46.852: Vp1 LCP: I CONFACK [ACKsent] id 2 len 15
    Oct 30 08:21:46.852: Vp1 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
    Oct 30 08:21:46.852: Vp1 LCP:    MagicNumber 0xF2CF7208 (0x0506F2CF7208)
    Oct 30 08:21:46.852: Vp1 LCP: Event[Receive ConfAck] State[ACKsent to Open]
    Oct 30 08:21:46.856: Vp1 PPP: Queue CHAP code[1] id[1]
    Oct 30 08:21:46.884: Vp1 PPP: Phase is AUTHENTICATING, by both
    Oct 30 08:21:46.884: Vp1 MS-CHAP-V2: O CHALLENGE id 1 len 27 from "office"
    Oct 30 08:21:46.884: Vp1 CHAP: Redirect packet to Vp1
    Oct 30 08:21:46.884: Vp1 MS-CHAP-V2: I CHALLENGE id 1 len 29 from "cisco-m1"
    Oct 30 08:21:46.884: Vp1 LCP: State is Open
    Oct 30 08:21:46.888: Vp1 MS CHAP V2: Using hostname from interface CHAP
    Oct 30 08:21:46.888: Vp1 MS CHAP V2: Using password from interface CHAP
    Oct 30 08:21:46.888: Vp1 MS-CHAP-V2: O RESPONSE id 1 len 60 from "office"
    Oct 30 08:21:46.892: Vp1 MS-CHAP-V2: I RESPONSE id 1 len 62 from "cisco-m1"
    Oct 30 08:21:46.896: Vp1 MS-CHAP-V2: O FAILURE id 1 len 13 msg is "E=691 R=0"
    Oct 30 08:21:46.896: Vp1 PPP DISC: User failed MSCHAP-V2 authentication
    Oct 30 08:21:46.896: Vp1 PPP: Sending Acct Event[Down] id[D]
    Oct 30 08:21:46.896: PPP: NET STOP send to AAA.
    Oct 30 08:21:46.896: Vp1 LCP: Event[CLOSE] State[Open to Closing]
    Oct 30 08:21:46.896: Vp1 PPP: Phase is TERMINATIN

What i'm doing wrong?

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎10-30-2018 03:05 AM

Hello,

 

what are you trying to accomplish ? Use both routers as VPDN servers ? Or establish a VPN between both routers ?

0 Helpful

lishniy
Level 1
Level 1
In response to Georg Pauwen

‎10-30-2018 03:12 AM

establish a VPN between both routers

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎10-30-2018 03:53 AM

Hello,

 

I think you are missing the access lists. Also, since your peers are both dynamic, delete the static peer. You probably still need dynamic DNS (DDNS), since both of your peers are dynamic.

 

Below are what I think should work (changes marked in bold):

 

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco-m1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 5 log
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
no ip source-route
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.33.1 192.168.33.10
!
ip dhcp pool LAN
import all
network 192.168.33.0 255.255.255.0
default-router 192.168.33.1
dns-server 192.168.33.1
!
no ip bootp server
ip domain name wizard
ip name-server 8.8.8.8
ip name-server 77.88.8.8
ip name-server 1.1.1.1
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username admin privilege 15 secret 5 $1$8PXC$3QykP9PmpxrrieYXH33Hz/
username office privilege 15 password 7 06573E735B1D0C58
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600

!
crypto isakmp key SuperKolobok address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set
!
crypto map outside_map 10 ipsec-isakmp
match addess VPN_TRAFFIC
set peer cisco1.cisco.com dynamic
set transform-set L2TP-Set
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface FastEthernet0/0
description === Internet ===
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map outside_map
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
peer default ip address pool my_pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
description === LAN ===
ip address 192.168.33.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool my_pool 192.168.38.10 192.168.38.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
ip dns server
!
ip access-list extended FIREWALL
permit tcp any any eq 22
!
ip access-list extended VPN_TRAFFIC
permit 192.168.33.0 0.0.0.255 192.168.81.0 0.0.0.255
!
access-list 101 deny 192.168.33.0 0.0.0.255 192.168.81.0 0.0.0.255
access-list 101 permit 192.168.33.0 0.0.0.255 any

!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 60 0
privilege level 15
logging synchronous
transport input telnet ssh
!
scheduler allocate 20000 1000
end

--------------------------------

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 5 log
!
aaa new-model
!
aaa authentication login default local
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
no ip source-route
!
ip dhcp excluded-address 192.168.81.1
!
ip dhcp pool LAN
import all
network 192.168.81.0 255.255.255.0
default-router 192.168.81.1
dns-server 192.168.81.1
!
ip cef
no ip bootp server
ip domain name wizard
ip name-server 8.8.8.8
ip name-server 77.88.8.8
ip name-server 1.1.1.1
no ipv6 cef
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn xxxxxx
!
username admin privilege 15 secret 4 cJEHTWJcGi7nngW/tDdtmTd.aBJYqGTk5zlVP3d4Nbc
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
pseudowire-class class1
encapsulation l2tpv2
ip local interface FastEthernet4
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600

!
crypto isakmp key SuperKolobok address 192.168.30.37
!
crypto ipsec transform-set L2TP-Set esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set transform-set L2TP-Set
!
crypto map outside_map 10 ipsec-isakmp
match address VPN_TRAFFIC
set peer cisco2.cisco.com dynamic
set transform-set L2TP-Set
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description === Internet ===
ip address dhcp
no ip redirects
no ip proxy-arp
ip nat outside
no ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map outside_map
!
interface Virtual-PPP1
description -= VPN L2TP client =-
ip address negotiated
ip nat outside
ip virtual-reassembly in
ppp authentication ms-chap-v2 callin
ppp chap hostname office
ppp chap password 7 06573E735B1D0C58
ppp ipcp address accept
no cdp enable
pseudowire 192.168.30.37 1 pw-class class1
!
interface Vlan1
description === LAN ===
ip address 192.168.81.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 101 interface FastEthernet4 overload
ip route 192.168.38.0 255.255.255.0 Virtual-PPP1
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended VPN_TRAFFIC
permit 192.168.81.0 0.0.0.255 192.168.33.0 0.0.0.255
!
access-list 101 deny 192.168.81.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 101 permit 192.168.81.0 0.0.0.255 any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 60 0
privilege level 15
logging synchronous
transport input telnet ssh
!
ntp update-calendar
ntp server 0.pool.ntp.org
ntp server ntp2.stratum2.ru
end

 

0 Helpful

paul driver
VIP
VIP

‎10-30-2018 03:18 AM

Hello

 

Try changing the transform sets to both tunnel mode and provide an access-list to match interesting traffic?

cisco-m1i

access-list 100 permit ip 192.168.33.0 0.0.0.255 192.168.81.0 0.0.0.255

crypto ipsec transform-set L2TP-Set esp-3des esp-sha-hmac
 mode tunnel
 
crypto dynamic-map dyn-map 10

match ip address 100

 

 

 

cisco

access-list 100 permit ip  192.168.81.0 0.0.0.255 192.168.33.0 0.0.0.255

crypto ipsec transform-set L2TP-Set esp-3des esp-sha-hmac
 mode tunnel
 
crypto dynamic-map dyn-map 10

match ip address 100

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card