Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2334
Views
0
Helpful
2
Replies

L2TP/IPSEC passthrough C2921 issues

Go to solution
aleksa
Level 1
Level 1

‎03-29-2017 04:40 AM - edited ‎02-21-2020 09:13 PM

Hi all,

as my colleague said, PPTP being no longer supported option for Mac users, we can't be alone in the Universe with our issue :-)

Topology is following

Remote W10 computer -- Internet -- C2921 -- W2012 server

We configured L2TP/IPSec passthrough on C2921.

We wanted to use L2TP/IPSec with pre-shared passphrase mode, terminating on LAN W2012 server behind the router.

PPTP and L2TP/IPsec VPN connections work from LAN.

PPTP works from remote machine

L2TP/IPSec doesn't work from remote machine

Cisco router is configured with Loopback public IP, got NAT configured, seems working, will paste below.

Why using loopback - there are existing wokring L-2-L IPSec VPN-s

Remote connections don't work. I did packet capture on both W2012 server and remote W10, I can see exchange of UDP 500 and 4500 packets.

W10 log viewer didn't give me any meaningful error code.

Cisco config (192.168.0.16 is W2012 server):

RTR#sh ip nat translations 
Pro Inside global     Inside local         Outside local         Outside global
...
tcp <Gi0/0_IP>:63123  192.168.0.15:63123   178.255.155.115:5938  178.255.155.115:5938
esp <Loopb_IP>:0      192.168.0.16:0       ---                   ---
udp <Loopb_IP>:123    192.168.0.16:123     13.79.154.18:123      13.79.154.18:123
udp <Loopb_IP>:500    192.168.0.16:500     <RemoteW10_IP>:42734  <RemoteW10_IP>:42734
udp <Loopb_IP>:500    192.168.0.16:500     ---                   ---
udp <Loopb_IP>:1701   192.168.0.16:1701    ---                   ---
udp <Loopb_IP>:4500   192.168.0.16:4500    <RemoteW10_IP>:42736  <RemoteW10_IP>:42736
udp <Loopb_IP>:4500   192.168.0.16:4500    ---                   ---
gre <Loopb_IP>:14375  192.168.0.16:14375   <RemoteW10_IP>:14375  <RemoteW10_IP>:14375
udp <Loopb_IP>:53580  192.168.0.16:53580   139.130.4.4:53        139.130.4.4:53
...

interface Loopback7
 ip address <Loopb_IP> 255.255.255.252 - this is public IP address
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/0
 description ISP_UPLINK
 ip address <Gi0/0_IP> 255.255.255.252 - Public IP
 ip nat outside
 ip virtual-reassembly in
 duplex full
 speed 100
 crypto map CRYPTO_MAP <-- for site-to-site IPSec tunnels
!
interface GigabitEthernet0/1
 description LAN
 ip address 192.168.0.254 255.255.255.0
 ip helper-address 192.168.0.1
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source list VPN_SERV interface Loopback7 overload
ip nat inside source static esp 192.168.0.16 interface Loopback7
ip nat inside source static udp 192.168.0.16 500 <Loopb_IP> 500 extendable
ip nat inside source static udp 192.168.0.16 1701 <Loopb_IP> 1701 extendable
ip nat inside source static tcp 192.168.0.16 1723 <Loopb_IP> 1723 extendable
ip nat inside source static udp 192.168.0.16 4500 <Loopb_IP> 4500 extendable

ip nat inside source static tcp 192.168.0.5 21 <Gi0/0_IP> 21 extendable
ip nat inside source static tcp 192.168.0.17 81 <Gi0/0_IP> 81 extendable
ip nat inside source static tcp 192.168.0.10 8016 <Gi0/0_IP> 8016 extendable
ip nat inside source static tcp 192.168.0.10 8116 <Gi0/0_IP> 8116 extendable
ip nat inside source static tcp 192.168.0.10 8200 <Gi0/0_IP> 8200 extendable
ip nat inside source static tcp 192.168.0.10 8201 <Gi0/0_IP> 8201 extendable
ip nat inside source static tcp 192.168.0.10 10019 <Gi0/0_IP> 10019 extendable


ip route 0.0.0.0 0.0.0.0 <Gi0/0_IP>
!
ip access-list extended SITE4
 permit ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended SITE8
 permit ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended SITE5
 permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended SITE1
 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SITE7
 permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended SITE2
 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended SITE3
 permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key KEY address <SITE4> 
crypto isakmp key KEY address <SITE8>
crypto isakmp key KEY address <SITE5>
crypto isakmp key KEY address <SITE1>
crypto isakmp key KEY address <SITE7>
crypto isakmp key KEY address <SITE2>
crypto isakmp key KEY address <SITE3>
!
!
crypto ipsec transform-set 3DESHA esp-3des esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile CLIENT-IPSEC-PROF
 set transform-set 3DESHA 
!
!
crypto map CRYPTO_MAP 10 ipsec-isakmp 
 set peer <SITE4> 
 set transform-set 3DESHA 
 match address SITE4
crypto map CRYPTO_MAP 15 ipsec-isakmp 
 set peer <SITE8> 
 set transform-set 3DESHA 
 match address SITE4
...
!
ip access-list extended NAT
 deny ip any 192.168.1.0 0.0.0.255
 deny ip any 192.168.2.0 0.0.0.255
 deny ip any 192.168.3.0 0.0.0.255
 deny ip any 192.168.4.0 0.0.0.255
 deny ip any 192.168.5.0 0.0.0.255
 deny ip any 192.168.7.0 0.0.0.255
 deny ip any 192.168.8.0 0.0.0.255
 deny ip any 192.168.254.0 0.0.0.255
 deny ip host 192.168.0.16 any
 deny ip host <Loopb_IP> any
 permit ip any any
ip access-list extended VPN_SERV
 deny ip host 192.168.0.16 192.168.4.0 0.0.0.255
 deny ip host 192.168.0.16 192.168.8.0 0.0.0.255
 deny ip host 192.168.0.16 192.168.5.0 0.0.0.255
 deny ip host 192.168.0.16 192.168.1.0 0.0.0.255
 deny ip host 192.168.0.16 192.168.7.0 0.0.0.255
 deny ip host 192.168.0.16 192.168.2.0 0.0.0.255
 deny ip host 192.168.0.16 192.168.3.0 0.0.0.255
 permit ip host 192.168.0.16 any

Any thoughts, suggestions?

Many thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-30-2017 07:08 PM

You can't use LT2P over IPSec pass through and IPSec site to site VPN at the same time - it is the same ports and protocols.

I would suggest you change to using Cisco AnyConnect for remote VPN users.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎03-30-2017 07:08 PM

You can't use LT2P over IPSec pass through and IPSec site to site VPN at the same time - it is the same ports and protocols.

I would suggest you change to using Cisco AnyConnect for remote VPN users.

0 Helpful

Go to solution
aleksa
Level 1
Level 1

‎03-30-2017 07:46 PM

!!!!! SOLVED !!!!!!

Hi all,

just an update.

The configuration above is actually working.

Configuration above uses two public IP-s, one for customer's existing site-to-site VPN-s.

The other public IP, being on loopback7, was used for remote users client VPN L2TP/IPSEC.

Reason being, while the site-to-site VPN-s are terminating on Cisco router, 

the client VPN-s are terminating on Windows server behind the router,

both site-to-site and L2TP over IPSec client VPN-s use the same UDP ports 500 and 4500.

In other words, there would be conflict over the above UDP ports if separate public IP-s were not used.

Issue was actually with Windows machines not being able to use NAT-T by default.

Once I configured NAT-T by registry change, as per article below, I got it working without a single change of the above configuration.

https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows-vista-and-in-windows-server-2008

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents