Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1429
Views
0
Helpful
1
Replies

L2TP/IPSec VPN - Static IP to Dynamic IP

Matthew Millman
Level 1
Level 1

‎05-04-2017 07:41 AM - edited ‎03-08-2019 10:26 AM

Approximately following this example (am hoping this is sufficient without me pasting everything in here):

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14122-24.html

I have been attempting to configure a IOS Router (which has a dynamic IP address) to be a client on an L2TP/IPSec VPN. When I follow the above example, everything works fine. Problem is when the WAN address of the LNS changes, it's all over.

Dynamic IP L2TP/IPSec clients (Android/Windows) work just fine on my setup, but quite exactly how this is done on an IOS Router I cannot figure out for the life of me.

The deal breaker seems to be this line of configuration - which is used on the crypto map match statement: 

access-list 101 permit udp host 20.1.1.2 eq 1701 host 20.1.1.1 eq 1701

Because the LNS's IP would no longer be 20.1.1.2, that statement becomes useless. I attempted to change it to:

access-list 101 permit udp any host 20.1.1.1 eq 1701

But that results in the IPSec failing to negotiate - specifically this message is seen on the LAC:

IPSEC(process_kmi_proxy): rejected peer's request of supporting wildcard remote proxy (addr/mask=0.0.0.0/0.0.0.0) while we have acl-less dynamic map

Which is fair enough I suppose. Question is, how do I get around this problem without removing L2TP from the picture?

Labels:
0 Helpful
1 Reply 1

Matthew Millman
Level 1
Level 1

‎05-15-2017 01:35 AM

Having spent several days on this now, I've pretty much given up.

Unless anyone else knows/finds something, I cannot see any way to protect L2TP negotiation packets (UDP 1701) with IPSec, if one of the routers has a dynamic IP address.

As I mentioned above, the killer is the need for the IPSec 'traffic of interest' ACL which must specify the IP address of both endpoints. There does not seem to be any way for the LNS router to figure this out dynamically.

My solution for the time being: Move the IPSec inside of L2TP. i.e. put the crypto map statement on the Virtual-PPP1 / Virtual-Tempalte1 interfaces.

Not ideal because it means my negotiation is now unecrypted, but better than nothing!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card