I read another blog which

Thomas Cotton · ‎12-03-2016

Hi

I have a Cisco 1941 which I'm using to connect to a 3rd party VPN service. I have got everything working perfectly, including route maps to send traffic outside the VPN if needed. However when I reboot the router Interface Virtual-PPP1 stays down. I believe this to be because I have my Dialer1 interface configured in the pseudowire-class, and when I reboot the router the interface show down when the initial VPN config is loaded and it doesn't include it, as when it's working it shows:

pseudowire-class L2TP
encapsulation l2tpv2
ip local interface Dialer1

Then after I reboot it goes to

pseudowire-class PIA_L2TP
! Incomplete config [No ip local interface set]
encapsulation l2tpv2

To get it back working I have to re-add the dial1 interface to the pseudowire-class, reapply pseudowire to the dial1 interface, and remove the re-add my route-map nat statement.

Is this a common problem? I've upgraded to the latest IOS and it's still an issue. Full config for reference:

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cotton_1941
!
boot-start-marker
boot system flash c1900-universalk9-mz.SPA.155-3.M4a.bin
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
ip inspect name CBAC h323
ip inspect name CBAC sip
ip inspect name CBAC rtsp
ip inspect name CBAC dns
ip inspect name CBAC http
ip inspect name CBAC https
ip inspect name CBAC icmp
ip inspect name CBAC sip-tls
ip inspect name CBAC time
ip inspect name CBAC tcp router-traffic
ip inspect name CBAC udp router-traffic
ip inspect name CBAC smtp
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-3185888014
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3185888014
revocation-check none
rsakeypair TP-self-signed-3185888014
!
!
crypto pki certificate chain TP-self-signed-3185888014
certificate self-signed 01
***
quit
license udi pid CISCO1941/K9 sn FGL163611CS
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
***
!
redundancy
!
!
!
!
!
pseudowire-class PIA_L2TP
encapsulation l2tpv2
ip local interface Dialer1
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key *** address ***
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
mode transport
!
!
!
crypto map PIA_VPN 10 ipsec-isakmp
set peer ***
set transform-set ESP-AES256-SHA1
match address PIA
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description OUTSIDE
no ip address
ip tcp adjust-mss 1452
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description INSIDE
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip route-cache policy
ip tcp adjust-mss 1350
ip policy route-map VPN_BYPASS
duplex auto
speed auto
!
interface Virtual-PPP1
description Tunnel to PIA
ip address negotiated
ip nat outside
ip virtual-reassembly in
ppp eap refuse
ppp chap hostname ***
ppp chap password 7 ***
ppp ipcp address accept
no cdp enable
pseudowire *** 1 encapsulation l2tpv2 pw-class PIA_L2TP
!
interface Dialer1
description ***FttC***
mtu 1492
ip address negotiated
ip access-group 100 in
ip access-group 102 out
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip inspect CBAC out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
****
no cdp enable
crypto map PIA_VPN
!
ip forward-protocol nd
!
!
ip dns server
ip nat inside source route-map RM-G1 interface Dialer1 overload
ip nat inside source route-map RM-G2 interface Virtual-PPP1 overload
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip ssh version 2
!
ip access-list extended PIA_LONDON
permit udp host *** eq 1701 host *** eq 1701
ip access-list extended VPN_BYPASS
permit esp any any
permit ahp any any
permit udp any any eq non500-isakmp
permit udp any any eq 1701
!
!
route-map VPN_BYPASS permit 10
match ip address VPN_BYPASS
set interface Dialer1
!
route-map RM-G1 permit 10
match interface Dialer1
!
route-map RM-G2 permit 10
match interface Virtual-PPP1
!
!
access-list 100 permit esp host **** host ****
access-list 100 deny tcp any any
access-list 100 deny udp any any
access-list 100 deny 0 any any
access-list 100 deny ip any any
access-list 100 deny gre any any
access-list 100 deny ipinip any any
access-list 100 deny pcp any any
access-list 100 deny nos any any
access-list 100 deny esp any any
access-list 100 deny ahp any any
access-list 100 deny icmp any any
access-list 100 remark INBOUND_ALLOW
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 102 remark Outbound_Block
access-list 102 deny tcp any any eq smtp
access-list 102 permit ip any any
access-list 102 permit esp any any
access-list 102 permit gre any any
access-list 102 permit ahp any any
!
control-plane
!
!
***

Thomas Cotton · ‎12-03-2016

I read another blog which stated that setting a static IP on the dialer interface would help, which I do have a static IP from my ISP, however as I'm given a /32 IP automatically I haven't been able statically configure it to get it to work. I can set it on the interface but cannot then get it to route.

Can anyone assist?

Thanks

VPN goes down after a reboot - 1941 configured with Virtual-PPP & pseudowire