Re: L2TPv3 inside IPSec does not work between ISR 1000v and 800 series VPN boxes

irakli_n · ‎09-27-2018

Hello everybody,

I came into realization that our deployment of extending L2 with L2TPv3 inside IPSec does not work with 1000v cloud services router.

Background of the deployment:

Purpose of the current architecture and restrictions - extending L2 network into other geographical area with L2TPv3 and encapsulating traffic inside IPSec. Due to our network security restrictions, we can't use 'pure' L2TPv3 between sites - we have to encapsulate all traffic inside IPSec.

Equipment used in the deployment: on remote sites (called client further in the text) we use 892, 891, 881 boxes, on server side we use 1921 or 1941 boxes. Client boxes are configured with DHCP IP on WAN interface and shipped with pre-configured VLANs/ports. On remote site there are mostly IoT devices/RFiD readers and other small network devices/sensors/appliances which need to be plugged directly into client box's switch ports They send measurements/periodic updates to the central servers via tcp/http. This setup has been up and running for >5 years, no complaints so far.

We now plan to replace 1921/1941 which are EoS and soon out of support with something more modern. For this purpose I downloaded and setup 1000v with 60 days AX eval license.

Problem description: however, after porting config from 1921 (pretty much copy/paste and just change IP addresses in couple of places) I was confronted with the fact that above perfectly working setup does not work with 1000v.

Main problem - L2TPv3 tunnel passes only broadcast traffic.

IPSec tunnel comes and works fine, L2TPv3 inside IPSec is also comes up - on show xconnect and show l2tun sessions on both sides shows that tunnel is up and there is a traffic - bytes/packets going thru the tunnel, but the thing is that this L2TPv3 tunnel only passes broadcasts.

I've tried to upgrade IOS on 800 series (from 15.4 to the latest) and 1000V (from 16.3 to 16.9). I've tried to use different internetworking options (ip, vlan, ethernet) in the pseudowire setup - the result is the same.

I also set the settings of the Port Group on ESX server with promiscuous mode and accept MAC address changes. Same outcome.

I am convinced that the problem is with 1000v/XE software because exactly the same setup (shown below) works and worked for 5 years fine between 1921 on one side and 800 series on other side.

Below is the setup (what is relevant), if you have a chance and 800/1000v boxes at your disposal, could you please check and confirm my findings?

Or better - if you have seen this problem before - how did you fix it?

My main problem is I do not know what other options do I have. I can't open support case because 1000v is the eval box and I do not have support for it. At the same time, I can't go to management with request to purchase license unless the problem is resolved.

What are other alternatives to L2TPv3? How I can extend L2 network to other place considering these restrictions - I have only 800 series boxes and only 1000v.

Thanks for the help.

---------       CLIENT       --------------------
---------       CLIENT       --------------------
---------       CLIENT       --------------------

crypto ikev2 keyring P594
 peer P594
  address 192.168.100.29
  pre-shared-key P594-password1


crypto ikev2 profile P594
 description IKEv2 profile for the Central VPN Box
 match identity remote address 192.168.100.29 255.255.255.255
 identity local fqdn P594.project.site
 authentication remote pre-share
 authentication local pre-share
 keyring local P594
 dpd 20 3 periodic
 nat keepalive 10


interface Loopback594
 description P594-LB-for-IPsec-tunn
 ip address 172.128.94.1 255.255.255.255
 load-interval 600


pseudowire-class P594
 encapsulation l2tpv3
 ip local interface Loopback594
 ip tos reflect


access-list 2594 remark ACL for IPSec for P594 tunn
access-list 2594 permit ip host 172.128.94.1 host 172.128.94.19


crypto map local 594 ipsec-isakmp
 description IPSec map for VPN server box
 set peer 192.168.100.29
 set ikev2-profile P594
 match address 2594


interface Vlan594
 no ip address
 xconnect 172.128.94.19 594 encapsulation l2tpv3 pw-class P594


interface fastethernet8
ip address dhcp
crypto map local


ip route 0.0.0.0 0.0.0.0 dhcp

---------       SERVER       --------------------
---------       SERVER       --------------------
---------       SERVER       --------------------


crypto ikev2 keyring P594
 peer P594
  address 0.0.0.0 0.0.0.0
  pre-shared-key P594-password1


crypto ikev2 profile P594
 description IKEv2 Profile matching the client
 match identity remote fqdn P594.project.site
 identity local address 192.168.100.29
 authentication local pre-share
 authentication remote pre-share
 keyring local P594
 dpd 20 3 periodic
 nat keepalive 10


interface Loopback594
 description P594-LB-for-IPsec-tunn
 ip address 172.128.94.19 255.255.255.255
 load-interval 600


access-list 194 remark ACL for IPSec for P594 tunn
access-list 194 permit ip host 172.128.94.19 host 172.128.94.1


crypto dynamic-map ACC-crypto-map-dyn 80
 set ikev2-profile P594
 match address 194
crypto map ACC-crypto-map 100 ipsec-isakmp dynamic ACC-crypto-map-dyn


pseudowire-class P594
 encapsulation l2tpv3
 ip local interface Loopback594
 ip pmtu
 ip dfbit set
 ip tos reflect


interface GigabitEthernet2.594
 description for L2TPv3 Tunnel
 encapsulation dot1Q 594
 xconnect 172.128.94.1 594 encapsulation l2tpv3 pw-class P594


interface GigabitEthernet3
 ip address 192.168.100.29 255.255.255.0
 negotiation auto
 cdp enable
 no mop enabled
 no mop sysid
 crypto map ACC-crypto-map
 ip virtual-reassembly max-reassemblies 1024
 ip virtual-reassembly-out max-reassemblies 1024


ip route 0.0.0.0 0.0.0.0 192.168.100.1

irakli_n · ‎09-30-2018

Guess no one has this problem.... Sigh...