I came into realization that our deployment of extending L2 with L2TPv3 inside IPSec does not work with 1000v cloud services router.
Background of the deployment:
Purpose of the current architecture and restrictions - extending L2 network into other geographical area with L2TPv3 and encapsulating traffic inside IPSec. Due to our network security restrictions, we can't use 'pure' L2TPv3 between sites - we have to encapsulate all traffic inside IPSec.
Equipment used in the deployment: on remote sites (called client further in the text) we use 892, 891, 881 boxes, on server side we use 1921 or 1941 boxes. Client boxes are configured with DHCP IP on WAN interface and shipped with pre-configured VLANs/ports. On remote site there are mostly IoT devices/RFiD readers and other small network devices/sensors/appliances which need to be plugged directly into client box's switch ports They send measurements/periodic updates to the central servers via tcp/http. This setup has been up and running for >5 years, no complaints so far.
We now plan to replace 1921/1941 which are EoS and soon out of support with something more modern. For this purpose I downloaded and setup 1000v with 60 days AX eval license.
Problem description: however, after porting config from 1921 (pretty much copy/paste and just change IP addresses in couple of places) I was confronted with the fact that above perfectly working setup does not work with 1000v.
Main problem - L2TPv3 tunnel passes only broadcast traffic.
IPSec tunnel comes and works fine, L2TPv3 inside IPSec is also comes up - on show xconnect and show l2tun sessions on both sides shows that tunnel is up and there is a traffic - bytes/packets going thru the tunnel, but the thing is that this L2TPv3 tunnel only passes broadcasts.
I've tried to upgrade IOS on 800 series (from 15.4 to the latest) and 1000V (from 16.3 to 16.9). I've tried to use different internetworking options (ip, vlan, ethernet) in the pseudowire setup - the result is the same.
I also set the settings of the Port Group on ESX server with promiscuous mode and accept MAC address changes. Same outcome.
I am convinced that the problem is with 1000v/XE software because exactly the same setup (shown below) works and worked for 5 years fine between 1921 on one side and 800 series on other side.
Below is the setup (what is relevant), if you have a chance and 800/1000v boxes at your disposal, could you please check and confirm my findings?
Or better - if you have seen this problem before - how did you fix it?
My main problem is I do not know what other options do I have. I can't open support case because 1000v is the eval box and I do not have support for it. At the same time, I can't go to management with request to purchase license unless the problem is resolved.
What are other alternatives to L2TPv3? How I can extend L2 network to other place considering these restrictions - I have only 800 series boxes and only 1000v.
Thanks for the help.
--------- CLIENT -------------------- --------- CLIENT -------------------- --------- CLIENT -------------------- crypto ikev2 keyring P594 peer P594 address 192.168.100.29 pre-shared-key P594-password1 crypto ikev2 profile P594 description IKEv2 profile for the Central VPN Box match identity remote address 192.168.100.29 255.255.255.255 identity local fqdn P594.project.site authentication remote pre-share authentication local pre-share keyring local P594 dpd 20 3 periodic nat keepalive 10 interface Loopback594 description P594-LB-for-IPsec-tunn ip address 220.127.116.11 255.255.255.255 load-interval 600 pseudowire-class P594 encapsulation l2tpv3 ip local interface Loopback594 ip tos reflect access-list 2594 remark ACL for IPSec for P594 tunn access-list 2594 permit ip host 18.104.22.168 host 22.214.171.124 crypto map local 594 ipsec-isakmp description IPSec map for VPN server box set peer 192.168.100.29 set ikev2-profile P594 match address 2594 interface Vlan594 no ip address xconnect 126.96.36.199 594 encapsulation l2tpv3 pw-class P594 interface fastethernet8 ip address dhcp crypto map local ip route 0.0.0.0 0.0.0.0 dhcp --------- SERVER -------------------- --------- SERVER -------------------- --------- SERVER -------------------- crypto ikev2 keyring P594 peer P594 address 0.0.0.0 0.0.0.0 pre-shared-key P594-password1 crypto ikev2 profile P594 description IKEv2 Profile matching the client match identity remote fqdn P594.project.site identity local address 192.168.100.29 authentication local pre-share authentication remote pre-share keyring local P594 dpd 20 3 periodic nat keepalive 10 interface Loopback594 description P594-LB-for-IPsec-tunn ip address 188.8.131.52 255.255.255.255 load-interval 600 access-list 194 remark ACL for IPSec for P594 tunn access-list 194 permit ip host 184.108.40.206 host 220.127.116.11 crypto dynamic-map ACC-crypto-map-dyn 80 set ikev2-profile P594 match address 194 crypto map ACC-crypto-map 100 ipsec-isakmp dynamic ACC-crypto-map-dyn pseudowire-class P594 encapsulation l2tpv3 ip local interface Loopback594 ip pmtu ip dfbit set ip tos reflect interface GigabitEthernet2.594 description for L2TPv3 Tunnel encapsulation dot1Q 594 xconnect 18.104.22.168 594 encapsulation l2tpv3 pw-class P594 interface GigabitEthernet3 ip address 192.168.100.29 255.255.255.0 negotiation auto cdp enable no mop enabled no mop sysid crypto map ACC-crypto-map ip virtual-reassembly max-reassemblies 1024 ip virtual-reassembly-out max-reassemblies 1024 ip route 0.0.0.0 0.0.0.0 192.168.100.1