VPDN Client not get a default Gateway

anas.abdullkarim · ‎03-23-2020

hello

i have ios xe
and try to make VPN PPTP
everything is ok but the client after connect , Client (os windows) get ip address but without default gateway

my config

vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 2

interface Virtual-Template2
description VPN
mtu 1460
ip unnumbered Loopback0
no ip redirects
ip tcp adjust-mss 1400
load-interval 30
peer default ip address pool interface PPTP-Pool
no keepalive
ppp authentication ms-chap ms-chap-v2 raduis
ppp ipcp route default
ip virtual-reassembly
end

ip local pool PPTP-Pool 10.10.10.90 10.10.10.100

Richard Burts · ‎03-23-2020

Are you saying that clients are not working - can not communicate? Or are you just observing something and are surprised? For point to point connections you do not really need a gateway. You just forward traffic to the peer address.

HTH

Rick

anas.abdullkarim · ‎03-23-2020

thanks for reply,
the client is connected to router
and he get ip address but without gateway
watch this result from clinet interface

PPP adapter VPN-BGN:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.99
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

Richard Burts · ‎03-23-2020

Thank you for the clarification. For a vpn client a gateway of 0.0.0.0 is not a problem. Perhaps I can suggest that you think about it in this way:

- the function of the default gateway for a host is to be the locally connected device that provides access to remote resources.

- consider that the client is assigned address 10.10.10.99 with mask 255.255.255.255. What does that indicate?

- can there be a locally connected device as gateway when the mask is 255.255.255.255?

Or perhaps I can suggest that you think about it in this way:

- if the gateway was 0.0.0.0 on the Ethernet adapter then it would certainly be a problem.

- but this is not on the Ethernet adapter but is on the PPP adapter. Does PPP need a gateway?

- for PPP you access remote resources by sending traffic to your PPP peer address and the PC knows how to reach the peer address using the Ethernet adapter, which does have a valid gateway.

So which ever way you think about it this gateway is normal and is not a problem.

HTH

Rick

anas.abdullkarim · ‎03-23-2020

thanks for helping ..
but i have something elas
now i connected my pc to rotuer via PPTP
and this informatio for my Lan and pptp ip address of my pc
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : www.tendawifi.com
Link-local IPv6 Address . . . . . : fe80::bd44:3470:df8:a7d7%5
IPv4 Address. . . . . . . . . . . : 192.168.0.110
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

PPP adapter VPN-BGN:

Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.100
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0

-----
in the router
for example : #sh ip route
172.16.184.74 is directly connected, Virtual-Access2.90
C 172.16.184.93 is directly connected, Virtual-Access2.49
C 172.16.184.107 is directly connected, Virtual-Access2.3524
C 172.16.184.124 is directly connected, Virtual-Access2.158

#ping 172.16.184.144
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.184.144, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/6/8 ms
---------------------

but in my pc i can't get ping reply for this ip address
C:\Users\anas>ping 172.16.184.144

Pinging 172.16.184.144 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.184.144:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Richard Burts · ‎03-23-2020

We need more information to be able to understand your environment and to make suggestions. Would you post the output of route print from the PC and post the config of the router.

HTH

Rick

anas.abdullkarim · ‎03-23-2020

Hello
i need to make vpn
so client connect pptp to router then they can access to the private network in the routing table at route , PPTP is connected and client get ip address , i try for exmaple in the router make a loopback
interface Loopback10
ip address 192.168.90.1 255.255.255.0
end
i try to make ping to this ip address in loopback from my PC after i connected pptp to rouer
C:\Users\anas>ping 192.168.90.1

Pinging 192.168.90.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.90.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

the cmd route is

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.110 35
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.0.0 255.255.255.0 On-link 192.168.0.110 291
192.168.0.110 255.255.255.255 On-link 192.168.0.110 291
192.168.0.255 255.255.255.255 On-link 192.168.0.110 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.0.110 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.0.110 291
===========================================================================
Persistent Routes:

Richard Burts · ‎03-23-2020

Thank you for the additional output. The route print is interesting. Everything in it seems to be using the 192.168.0.110 address of the Ethernet adapter of the PC. I expected to see at least the IP address related to the PPP adapter but there is no indication of it in the table. Can you verify that the PC had an active vpn connection at the time you got the route information?

Perhaps you can post the router configuration?

HTH

Rick

anas.abdullkarim · ‎03-23-2020

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1    192.168.0.110   4260
          0.0.0.0          0.0.0.0         On-link       10.10.10.94     36
      10.10.10.94  255.255.255.255         On-link       10.10.10.94    291
   94.231.199.130  255.255.255.255      192.168.0.1    192.168.0.110   4261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4556
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4556
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
      192.168.0.0    255.255.255.0         On-link     192.168.0.110   4516
    192.168.0.110  255.255.255.255         On-link     192.168.0.110   4516
    192.168.0.255  255.255.255.255         On-link     192.168.0.110   4516
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4556
        224.0.0.0        240.0.0.0         On-link     192.168.0.110   4516
        224.0.0.0        240.0.0.0         On-link       10.10.10.94     36
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4556
  255.255.255.255  255.255.255.255         On-link     192.168.0.110   4516
  255.255.255.255  255.255.255.255         On-link       10.10.10.94    291

anas.abdullkarim · ‎03-23-2020

please see my reply with photo below

Giuseppe Larosa · ‎03-23-2020

Hello Rick,

I may be wrong but the router configuration is posted in the initial post of this thread.

The point here is that the PC is not installing a default route over the PPTP session with a lower metric then the default route via ethernet interface.

Looking at the original poster show print of the affected PC we see that the route metrics are already increased on the default route via ethernet what is missing is the entry for the PPTP VPN.

Also I have noticed that the PPTP pool is something like 10.0.0.90 to 10.0.0.100 and your PC gets 10.0.0.99, this should mean that there are other clients connecting via PPTP to this router.

How are behaving the other PPTP VPN clients ?

If they work it is this specific PC that has some issues ( a personal firewall for example) that does not allow to install the default route coming from the PPTP VPN.

Hope to help

Giuseppe

anas.abdullkarim · ‎03-24-2020

thanks for reply
no one connecting to router (just me ) because i am not complete a configuration to share it with my client's .
every time i connected to router i get difference ip address from Pool
i think that's no problem ,
the problem i don't get a default gateway

Richard Burts · ‎03-24-2020

@Giuseppe Larosa the original post included 2 sections of the router config. I would like to see the complete config.

The first route print did not show any address for the pptp and I asked about that. The second route print, accompanied by a screen shot showing an active vpn connection did include an address for the vpn - and it also included a default route associated with the vpn.

Perhaps in the next test instead of doing ping to some destination please try a traceroute to that destination. Lets see how the traceroute exits the PC.

HTH

Rick

iaroslavkryvoshlyk · ‎11-29-2022

Hello guys!

I have the same problem as topic starter. I have tried to configure L2TP over IPSec for remote access (Windows 10) to office network. Router Cisco C1111-8P (1RU) , Cisco IOS XE Software, Version 16.12.04. So, as the topic starter i get connection with router, i can verify this by :

----show crypto isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
**********.30 *********.130 QM_IDLE 1025 ACTIVE

----show crypto ipsec sa

This command shows me Status: ACTIVE(ACTIVE) but strange statistic :

#pkts encaps: 240, #pkts encrypt: 240, #pkts digest: 240
#pkts decaps: 1147, #pkts decrypt: 1147, #pkts verify: 1147

----show crypto session

Interface: GigabitEthernet0/0/0
Session status: UP-ACTIVE
Peer: *********.130 port 65496
Session ID: 0
IKEv1 SA: local *********.30/4500 remote *******.130/65496 Active
IPSEC FLOW: permit 17 host ******.30 port 1701 host *******.130 port 65496
Active SAs: 4, origin: dynamic crypto map

But, the problem is when I get connected and get IP add from pool, verified it in routing table of router like C (connected), or windows ipconfig, I cant ping 192.168.121.1 (interface VLAN 1)

192.168.121.0/24 is variably subnetted, 3 subnets, 2 masks
C 192.168.121.0/24 is directly connected, Vlan1
L 192.168.121.1/32 is directly connected, Vlan1
C 192.168.121.20/32 is directly connected, Virtual-Access2.2

There is my config down below:

aaa new-model
aaa authentication login default local
aaa authorization network default local

vpdn-group L2TP_B***y
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication

username i**k password 0 rp**5

crypto isakmp policy 99
encryption 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key B**Y address 0.0.0.0

crypto ipsec transform-set C2S_L2TP_B**y esp-3des esp-sha-hmac
mode transport

crypto dynamic-map C2S_L2TP_L** 1
set nat demux
set transform-set C2S_L2TP_B**y
reverse-route

crypto map L2TP_B**y 1 ipsec-isakmp dynamic C2S_L2TP_L**

interface GigabitEthernet0/0/0
ip address ***.***.***.30 255.255.255.252
ip nat outside
negotiation auto
crypto map L2TP_B**y

interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
peer default ip address pool C2S_L2TP_B**y
ppp authentication ms-chap-v2
ppp ipcp dns 8.8.8.8
!
interface Vlan1
ip address 192.168.121.1 255.255.255.0
ip nat inside
!
ip local pool C2S_L2TP_B**y 192.168.121.15 192.168.121.20

ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 ***.***.***.29

ip access-list extended NAT
30 permit ip 192.168.121.0 0.0.0.255 any

I have found and tested a vary of configuration but no success. This configuration seems to be good , at least i have no authentication problem only something with routing. Thanks for help!