Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
761
Views
0
Helpful
2
Replies

891 Router to Internet VPN provider

leechap
Level 1
Level 1

‎05-12-2018 07:24 AM - edited ‎03-12-2019 05:17 AM

Hello,

 

Please forgive my rather limited knowledge of Cisco devices.  It all remains fairly knew to me.  I've exhausted many hours on what is most likely a simple oversight somewhere on my part, so hopefully someone can enlighten me.

 

I'm trying to configure a Cisco 891 router as a VPN remote, connecting via my ISP with the NordVPN service.  NordVPN seem to offer most of the main protocols, so I've been trying to setup through L2TP/IPSec for which they provide the following settings:

  Peer: uk58.nordvpn.com
  Credentials: NordVPN Username and Password
  PPP Authentication to PAP/CHAP/MS-CHAP/MS-CHAPv2;
  VJ Compression to On;
  Pre-Shared Key under IKE Authentication Method. The key is: nordvpn

 

Gi0 on the 891 is connected to a port on my ISP provided router, which, unfortunately I cannot access to adjust, so hopefully it's nothing getting blocked there. I can get a VPN on my phone, but I guess it's likely using the OpenVPN protocol.

 

I've tried getting a connection through VPDN, EzVPN and now L2TP with a Virtual-PPP1 interface (config below). I've referred to numerous posts here to get to where I am, but when I try to connect but I get the error:  "Tunnel auth failed for mismatch".  I can think of a number of things that could be wrong or that I've messed up.  Maybe there is a much better way of doing this, or maybe I'm missing something simple that's preventing my current setup from authenticating - either way, I'd appreciate any guidance.

Thanks - Lee.

version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
enable secret 5 *****
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp VPDN_AUTH local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.255
!
ip dhcp pool LAN-DHCP
 import all
 network 192.168.0.0 255.255.254.0
 default-router 192.168.0.1
 dns-server 8.8.8.8 8.8.4.4
 domain-name local.lnm
!
!
ip domain name LAN
ip cef
no ipv6 cef
l2tp-class NordL2TPclass
 hidden
 authentication
 password nordvpn
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
vpdn multihop
!
!
!
!
!
!
!
license udi pid CISCO891-K9 sn ******
!
!
username lee privilege 15 secret 5 *******
username remote password 0 *********
!
!
!
!
!
pseudowire-class NordPWclass
 encapsulation l2tpv2
 protocol l2tpv2 NordL2TPclass
 ip local interface GigabitEthernet0
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 100
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
 shutdown
!
interface FastEthernet5
 no ip address
 shutdown
!
interface FastEthernet6
 no ip address
 shutdown
!
interface FastEthernet7
 no ip address
 shutdown
!
interface FastEthernet8
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0
 description INTERNET
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-PPP1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 no peer neighbor-route
 ppp authentication pap chap callout
 ppp chap hostname NORD-USERNAME
 ppp chap password 0 NORD-PASSWORD
 ppp pap sent-username NORD-USERNAME password 0 NORD-PASSWORD
 no cdp enable
 pseudowire 185.38.150.117 1 pw-class NordPWclass
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly in
!
interface Vlan100
 description USER DEVICES
 ip address 192.168.0.1 255.255.254.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list LAN-IP-ACL interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.254 254
ip route 0.0.0.0 0.0.0.0 192.168.10.254 254
ip route 185.38.150.117 255.255.255.255 GigabitEthernet0 192.168.10.254
ip route 185.38.150.117 255.255.255.255 GigabitEthernet0 dhcp
!
ip access-list standard LAN-IP-ACL
 permit 192.168.0.0 0.0.1.255
!
ip access-list extended NAT
 deny   ip any host 185.38.150.117
 permit ip any any
!
!
!
!
!
route-map PERFORM-NAT permit 10
 match ip address NAT
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0
 password *******
 transport input all
line vty 1
 exec-timeout 60 0
 password *******
 transport input all
line vty 2 4
 password *******
 transport input all
!
end
1 person had this problem
Labels:
0 Helpful
2 Replies 2

leechap
Level 1
Level 1

‎05-17-2018 08:37 AM

Nobody have any ideas? Is this a particularly unusual setup? Or is it just not obvious what might be wrong?
0 Helpful

dasdsad
Level 1
Level 1

‎07-29-2018 06:08 AM

hey,

 

did you managed to get working. i have same problem 

0 Helpful
Customers Also Viewed These Support Documents