Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
0
Replies

L2TP port left open on ISR G2

kab00m
Level 1
Level 1

‎11-08-2020 10:55 AM

Greetings,

 

I am using several ISR G2 routers (819, 2901, etc) configured as L2TP/IPSec VPN concentrators. I used standard documents and vpdn part now as follows:

 

vpdn enable
!
vpdn-group L2TP
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication

Working with non-standard clients, like strongswan + xl2tpd I have noticed that misconfigured client is able to exchange non-encrypted traffic in L2TP tunnel. I.e. if IPSec is not up - L2TP tunnel works by itself and I can tcpdump non-encrypted traffic. This is not happening with out-of-the-box clients, like Windows or Android. I believe those are blocking L2TP clear traffic when IPSec is not ready.

 

I am concerned with two things: 1. I am not guaranteed VPN traffic is secure with some of company employees and 2. I do not want unused port being accessible on router.

 

I can block this port with ZBFW, but is there any other way to tell router on which interfaces L2TP UDP 1701 is listened?

Sincerely yours.
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card