cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
483
Views
0
Helpful
0
Replies

L2TP port left open on ISR G2

kab00m
Level 1
Level 1

Greetings,

 

I am using several ISR G2 routers (819, 2901, etc) configured as L2TP/IPSec VPN concentrators. I used standard documents and vpdn part now as follows:

 

vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication

Working with non-standard clients, like strongswan + xl2tpd I have noticed that misconfigured client is able to exchange non-encrypted traffic in L2TP tunnel. I.e. if IPSec is not up - L2TP tunnel works by itself and I can tcpdump non-encrypted traffic. This is not happening with out-of-the-box clients, like Windows or Android. I believe those are blocking L2TP clear traffic when IPSec is not ready.

 

I am concerned with two things: 1. I am not guaranteed VPN traffic is secure with some of company employees and 2. I do not want unused port being accessible on router.

 

I can block this port with ZBFW, but is there any other way to tell router on which interfaces L2TP UDP 1701 is listened?

Sincerely yours.
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco