CISCO IOS 891F as L2TP VPN Client: Kill Switch and Reconnection

lukepayton · ‎04-13-2020

My router with rare exceptions was solidly running a VPN to my provider for select devices on my network using PBR with the config below.

1. now in those rare exceptions the link would go down those select devices would connect to the internet via default route unprotected. Therefore I wanted to know how could I add a kill switch because all examples I find delete the default route killing internet access for the entire network not just my select devices.

2. second question is that although the link mostly would come back automatically (e.g. when I kill VPN connection via provider control panel) there were occasions I had to log in to issue "clear crypto isakmp" and "clear crypto session" to bring it back. Thus, I would also like to know how could I improve automatic reconnection and if there is a way for Cisco router to alert me about the link going down for an extended period of time.

3. while I am at it I was wondering what is the best way to prevent DNS leaking. Most internet advice was around source interface and DNS view but I ended up with "ip route 1.1.1.1 255.255.255.255 Virtual-PPP1" as I am using Cloudflare DNS as my resolver. Thoughts?

4. to make the entire thing work I did place the Cisco router behind pfsense router because of ACL statement "permit udp host 192.168.100.40 eq 1701 host [VPNIP] eq 1701" Since I am on residential dynamic IP there is no workaround to make this L2TP client config work if Cisco WAN IP was dynamically assigned, correct?

thank you

crypto isakmp policy 10
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
exit
!
crypto isakmp key [VPNKEY] address [VPNIP]
!
crypto ipsec transform-set L2TP esp-aes esp-md5-hmac
mode transport
exit
!
crypto map outside_map 10 ipsec-isakmp
set peer [VPNIP]
set transform-set L2TP
match address L2TP_TO_NY
exit
!
ip access-list extended L2TP_TO_NY
permit udp host 192.168.100.40 eq 1701 host [VPNIP] eq 1701
exit
!
interface GigabitEthernet8
crypto map outside_map
exit
!
pseudowire-class L2TP_CLIENT
encapsulation l2tpv2
ip local interface GigabitEthernet8
exit
!
interface Virtual-PPP1
description L2TP Tunnel
ip tcp adjust-mss 1350
ip address negotiated
ip nat outside
ip virtual-reassembly
ppp eap refuse
ppp chap hostname [MYUSERNAME]
ppp chap password 0 [MYPASSWORD]
ppp ipcp address accept
no cdp enable
pseudowire [VPNIP] 1 pw-class L2TP_CLIENT
exit
exit
!
ip route [VPNIP] 255.255.255.255 GigabitEthernet8 dhcp 1
!
ip access-list extended VPN-NAT-LIST
!exclude all communication between LAN IPs
deny ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
deny ip 172.16.30.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.0.0 0.0.255.255 172.16.30.0 0.0.0.255
deny ip 172.16.30.0 0.0.0.255 10.10.0.0 0.0.255.255
deny ip 10.10.0.0 0.0.255.255 172.16.30.0 0.0.0.255
!include one host on VLAN10
permit ip host 192.168.10.77 any
!exclude my voip provider IPs
deny ip 192.168.0.0 0.0.255.255 185.45.152.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 185.45.155.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 37.139.38.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 195.122.19.0 0.0.0.31
!include the entire VLAN40
permit ip 192.168.40.0 0.0.0.255 any
exit
!
route-map VPN_CLIENT_MAP permit 10
match ip address VPN-NAT-LIST
set interface Virtual-PPP1
exit
!
ip nat inside source list VPN-NAT-LIST interface Virtual-PPP1 overload
!
interface Vlan10
ip tcp adjust-mss 1200
ip nat inside
ip policy route-map VPN_CLIENT_MAP
exit
!
interface Vlan40
ip tcp adjust-mss 1200
ip nat inside
ip policy route-map VPN_CLIENT_MAP
exit
!
!
!
!finally the default route that allows the rest of my network to connect
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 dhcp 1

https://livenudecam69.com/