05-04-2017 07:41 AM - edited 03-08-2019 10:26 AM
Approximately following this example (am hoping this is sufficient without me pasting everything in here):
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14122-24.html
I have been attempting to configure a IOS Router (which has a dynamic IP address) to be a client on an L2TP/IPSec VPN. When I follow the above example, everything works fine. Problem is when the WAN address of the LNS changes, it's all over.
Dynamic IP L2TP/IPSec clients (Android/Windows) work just fine on my setup, but quite exactly how this is done on an IOS Router I cannot figure out for the life of me.
The deal breaker seems to be this line of configuration - which is used on the crypto map match statement:
access-list 101 permit udp host 20.1.1.2 eq 1701 host 20.1.1.1 eq 1701
Because the LNS's IP would no longer be 20.1.1.2, that statement becomes useless. I attempted to change it to:
access-list 101 permit udp any host 20.1.1.1 eq 1701
But that results in the IPSec failing to negotiate - specifically this message is seen on the LAC:
IPSEC(process_kmi_proxy): rejected peer's request of supporting wildcard remote proxy (addr/mask=0.0.0.0/0.0.0.0) while we have acl-less dynamic map
Which is fair enough I suppose. Question is, how do I get around this problem without removing L2TP from the picture?
05-15-2017 01:35 AM
Having spent several days on this now, I've pretty much given up.
Unless anyone else knows/finds something, I cannot see any way to protect L2TP negotiation packets (UDP 1701) with IPSec, if one of the routers has a dynamic IP address.
As I mentioned above, the killer is the need for the IPSec 'traffic of interest' ACL which must specify the IP address of both endpoints. There does not seem to be any way for the LNS router to figure this out dynamically.
My solution for the time being: Move the IPSec inside of L2TP. i.e. put the crypto map statement on the Virtual-PPP1 / Virtual-Tempalte1 interfaces.
Not ideal because it means my negotiation is now unecrypted, but better than nothing!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide