CISCO IOS 891F as L2TP VPN Client: Kill Switch and Reconnection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-13-2020 09:35 PM
My router with rare exceptions was solidly running a VPN to my provider for select devices on my network using PBR with the config below.
1. now in those rare exceptions the link would go down those select devices would connect to the internet via default route unprotected. Therefore I wanted to know how could I add a kill switch because all examples I find delete the default route killing internet access for the entire network not just my select devices.
2. second question is that although the link mostly would come back automatically (e.g. when I kill VPN connection via provider control panel) there were occasions I had to log in to issue "clear crypto isakmp" and "clear crypto session" to bring it back. Thus, I would also like to know how could I improve automatic reconnection and if there is a way for Cisco router to alert me about the link going down for an extended period of time.
3. while I am at it I was wondering what is the best way to prevent DNS leaking. Most internet advice was around source interface and DNS view but I ended up with "ip route 1.1.1.1 255.255.255.255 Virtual-PPP1" as I am using Cloudflare DNS as my resolver. Thoughts?
4. to make the entire thing work I did place the Cisco router behind pfsense router because of ACL statement "permit udp host 192.168.100.40 eq 1701 host [VPNIP] eq 1701" Since I am on residential dynamic IP there is no workaround to make this L2TP client config work if Cisco WAN IP was dynamically assigned, correct?
thank you
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 | crypto isakmp policy 10 encr 3des hash sha authentication pre-share group 2 lifetime 86400 exit ! crypto isakmp key [VPNKEY] address [VPNIP] ! crypto ipsec transform-set L2TP esp-aes esp-md5-hmac mode transport exit ! crypto map outside_map 10 ipsec-isakmp set peer [VPNIP] set transform-set L2TP match address L2TP_TO_NY exit ! ip access-list extended L2TP_TO_NY permit udp host 192.168.100.40 eq 1701 host [VPNIP] eq 1701 exit ! interface GigabitEthernet8 crypto map outside_map exit ! pseudowire-class L2TP_CLIENT encapsulation l2tpv2 ip local interface GigabitEthernet8 exit ! interface Virtual-PPP1 description L2TP Tunnel ip tcp adjust-mss 1350 ip address negotiated ip nat outside ip virtual-reassembly ppp eap refuse ppp chap hostname [MYUSERNAME] ppp chap password 0 [MYPASSWORD] ppp ipcp address accept no cdp enable pseudowire [VPNIP] 1 pw-class L2TP_CLIENT exit exit ! ip route [VPNIP] 255.255.255.255 GigabitEthernet8 dhcp 1 ! ip access-list extended VPN-NAT-LIST !exclude all communication between LAN IPs deny ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 deny ip 172.16.30.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip 192.168.0.0 0.0.255.255 172.16.30.0 0.0.0.255 deny ip 172.16.30.0 0.0.0.255 10.10.0.0 0.0.255.255 deny ip 10.10.0.0 0.0.255.255 172.16.30.0 0.0.0.255 !include one host on VLAN10 permit ip host 192.168.10.77 any !exclude my voip provider IPs deny ip 192.168.0.0 0.0.255.255 185.45.152.0 0.0.0.255 deny ip 192.168.0.0 0.0.255.255 185.45.155.0 0.0.0.255 deny ip 192.168.0.0 0.0.255.255 37.139.38.0 0.0.0.255 deny ip 192.168.0.0 0.0.255.255 195.122.19.0 0.0.0.31 !include the entire VLAN40 permit ip 192.168.40.0 0.0.0.255 any exit ! route-map VPN_CLIENT_MAP permit 10 match ip address VPN-NAT-LIST set interface Virtual-PPP1 exit ! ip nat inside source list VPN-NAT-LIST interface Virtual-PPP1 overload ! interface Vlan10 ip tcp adjust-mss 1200 ip nat inside ip policy route-map VPN_CLIENT_MAP exit ! interface Vlan40 ip tcp adjust-mss 1200 ip nat inside ip policy route-map VPN_CLIENT_MAP exit ! ! ! !finally the default route that allows the rest of my network to connect ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp 1 |
- Labels:
-
Other Switching
