L2TP tunnel - traffic only between routers not host

dannymcca · ‎05-08-2013

Hi,

I am in dire need of asssistance.

I have set up a L2TP between 2 887va routers to pass layer 2 traffic from a remote site. My problem is that the traffic from my layer 2 device is entering the router through the Fastethernet 0 but doesn't go anywhere.

I am getting the "Hello" over the L2TP so the tunnel is up and working. When I attach a laptop to the layer 2 device end I can ping between that and the host at the other end, however, no layer 2 traffic is being passed over the tunnel.

I am using wireshark on the host at the far end and this sees no layer 2 traffic not even the "Hello" so I checked the ACL's but can find no reason why thes traffic shouldn't pass through.

Please can someone help. I have inluded the config files from both routers.

Thanks.

Router 1

Building configuration...

Current configuration : 3973 bytes

!

! Last configuration change at 13:03:15 UTC Thu May 2 2013

! NVRAM config last updated at 13:04:17 UTC Thu May 2 2013

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXX

!

boot-start-marker

boot-end-marker

!

enable secret 4 pozkvcqXiM/f4AVrqz8PjSI9KxXYqhSXdmI.1yi0uD2

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

ip source-route

!

ip cef

no ipv6 cef

l2tp-class l2tpclass2

authentication

password xxx

!

l2tp-class l

!

vpdn enable

!

vpdn-group vpdngroup1

accept-dialin

protocol l2tp

virtual-template 1

terminate-from hostname peer1

!

license udi pid CISCO887VA-K9 sn FCZ1706908Q

!

controller VDSL 0

!

pseudowire-class pwclass2

encapsulation l2tpv3

sequencing both

ip local interface Dialer0

ip pmtu

ip tos reflect

ip ttl 100

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXX address xxx.xxx.xxx.xxx

crypto isakmp keepalive 30 5

!

crypto ipsec transform-set XXXX esp-3des esp-md5-hmac

!

crypto map cMap 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set XXXX

match address 101

!

bridge irb

!

interface Loopback1

no ip address

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

no ip address

ip nat outside

ip virtual-reassembly in

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

switchport access vlan 2

no ip address

!

interface Virtual-Template1

ip unnumbered Loopback1

ppp authentication chap

ppp chap hostname peer2

!

interface Virtual-PPP2

ip unnumbered Loopback1

ppp authentication chap

ppp chap hostname peer2

pseudowire xxx.xxx.xxx.xxx 10 pw-class pwclass2

!

interface Vlan2

no ip address

bridge-group 1

bridge-group 1 input-address-list 700

bridge-group 1 output-address-list 700

!

interface Dialer0

ip address XXX.XXX.XXX.XXX 255.255.255.0

no ip redirects

no ip unreachables

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname xxxxxx

ppp chap password 0 xxxxxx

ppp ipcp route default

ppp ipcp address accept

no cdp enable

crypto map cMap

!

interface BVI1

ip address 192.168.1.1 255.255.255.0

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route xxx.xxx.xxx.xxx 255.255.255.255 Dialer0

ip route 192.168.1.0 255.255.255.0 Virtual-PPP2

!

access-list 50 deny any log

access-list 100 deny ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 permit tcp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 permit udp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 permit icmp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 deny ip any any

access-list 101 deny tcp any any

access-list 101 deny udp any any

access-list 101 deny icmp any any

access-list 111 deny tcp any any eq telnet

access-list 111 permit ip any any

access-list 700 permit 0000.0000.0000 ffff.ffff.ffff

dialer-list 1 protocol ip permit

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

line aux 0

line vty 0 4

access-class 50 in

exec-timeout 0 0

no login

transport input none

transport output none

!

end

Router 1

Building configuration...

Current configuration : 3629 bytes

!

! Last configuration change at 13:03:49 UTC Thu May 2 2013

! NVRAM config last updated at 13:04:07 UTC Thu May 2 2013

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXXX

!

boot-start-marker

boot-end-marker

!

enable secret 4 pozkvcqXiM/f4AVrqz8PjSI9KxXYqhSXdmI.1yi0uD2

!

no aaa new-model

memory-size iomem 10

!

ip source-route

!

ip cef

no ipv6 cef

l2tp-class l2tpclass2

!

license udi pid CISCO887VA-K9 sn FCZ170690A2

!

controller VDSL 0

!

pseudowire-class pwclass2

encapsulation l2tpv3

sequencing both

ip local interface Dialer0

ip pmtu

ip ttl 100

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXX address xxx.xxx.xxx.xxx

crypto isakmp keepalive 30 5

!

crypto ipsec transform-set XXXX esp-3des esp-md5-hmac

!

crypto map cMap 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set XXXX

match address 101

!

bridge irb

!

interface Loopback1

no ip address

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

no ip address

ip virtual-reassembly in

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

switchport access vlan 2

no ip address

!

interface Virtual-PPP2

ip unnumbered Loopback1

ppp authentication chap

ppp chap hostname peer2

pseudowire xxx.xxx.xxx.xxx 10 pw-class pwclass2

!

interface Vlan2

no ip address

bridge-group 1

bridge-group 1 input-address-list 700

bridge-group 1 output-address-list 700

!

interface Dialer0

ip address xxx.xxx.xxx.xxx 255.255.255.0

no ip redirects

no ip unreachables

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname xxxxxx

ppp chap password 0 xxxxxx

ppp ipcp route default

ppp ipcp address accept

no cdp enable

crypto map cMap

!

interface BVI1

ip address 192.168.2.1 255.255.255.0

ip access-group 101 in

no ip unreachables

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route xxx.xxx.xxx.xxx 255.255.255.255 Dialer0

ip route 192.168.2.0 255.255.255.0 Virtual-PPP2

!

access-list 50 deny any log

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 permit ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 permit tcp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 permit udp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 permit icmp 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255

access-list 101 deny ip any any

access-list 101 deny tcp any any

access-list 101 deny udp any any

access-list 101 deny icmp any any

access-list 111 deny tcp any any eq telnet

access-list 111 permit ip any any

access-list 700 permit 0000.0000.0000 ffff.ffff.ffff

dialer-list 1 protocol ip permit

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

line aux 0

line vty 0 4

access-class 50 in

exec-timeout 0 0

no login

transport input none

transport output none

!

end