05-12-2018 07:24 AM - edited 03-12-2019 05:17 AM
Hello,
Please forgive my rather limited knowledge of Cisco devices. It all remains fairly knew to me. I've exhausted many hours on what is most likely a simple oversight somewhere on my part, so hopefully someone can enlighten me.
I'm trying to configure a Cisco 891 router as a VPN remote, connecting via my ISP with the NordVPN service. NordVPN seem to offer most of the main protocols, so I've been trying to setup through L2TP/IPSec for which they provide the following settings:
Peer: uk58.nordvpn.com
Credentials: NordVPN Username and Password
PPP Authentication to PAP/CHAP/MS-CHAP/MS-CHAPv2;
VJ Compression to On;
Pre-Shared Key under IKE Authentication Method. The key is: nordvpn
Gi0 on the 891 is connected to a port on my ISP provided router, which, unfortunately I cannot access to adjust, so hopefully it's nothing getting blocked there. I can get a VPN on my phone, but I guess it's likely using the OpenVPN protocol.
I've tried getting a connection through VPDN, EzVPN and now L2TP with a Virtual-PPP1 interface (config below). I've referred to numerous posts here to get to where I am, but when I try to connect but I get the error: "Tunnel auth failed for mismatch". I can think of a number of things that could be wrong or that I've messed up. Maybe there is a much better way of doing this, or maybe I'm missing something simple that's preventing my current setup from authenticating - either way, I'd appreciate any guidance.
Thanks - Lee.
version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot config usbflash0:CVO-BOOT.CFG boot-end-marker ! ! enable secret 5 ***** ! aaa new-model ! ! aaa authentication login default local aaa authentication ppp VPDN_AUTH local aaa authorization exec default local ! ! ! ! ! aaa session-id common ! crypto pki token default removal timeout 0 ! ! ! ! ! ip dhcp excluded-address 192.168.0.1 192.168.0.255 ! ip dhcp pool LAN-DHCP import all network 192.168.0.0 255.255.254.0 default-router 192.168.0.1 dns-server 8.8.8.8 8.8.4.4 domain-name local.lnm ! ! ip domain name LAN ip cef no ipv6 cef l2tp-class NordL2TPclass hidden authentication password nordvpn ! ! ! ! ! multilink bundle-name authenticated vpdn enable vpdn multihop ! ! ! ! ! ! ! license udi pid CISCO891-K9 sn ****** ! ! username lee privilege 15 secret 5 ******* username remote password 0 ********* ! ! ! ! ! pseudowire-class NordPWclass encapsulation l2tpv2 protocol l2tpv2 NordL2TPclass ip local interface GigabitEthernet0 ! ! ! ! ! ! ! ! ! ! interface FastEthernet0 switchport access vlan 100 no ip address ! interface FastEthernet1 no ip address shutdown ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address shutdown ! interface FastEthernet4 no ip address shutdown ! interface FastEthernet5 no ip address shutdown ! interface FastEthernet6 no ip address shutdown ! interface FastEthernet7 no ip address shutdown ! interface FastEthernet8 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0 description INTERNET ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-PPP1 ip address negotiated ip nat outside ip virtual-reassembly in no peer neighbor-route ppp authentication pap chap callout ppp chap hostname NORD-USERNAME ppp chap password 0 NORD-PASSWORD ppp pap sent-username NORD-USERNAME password 0 NORD-PASSWORD no cdp enable pseudowire 185.38.150.117 1 pw-class NordPWclass ! interface Vlan1 no ip address ip nat inside ip virtual-reassembly in ! interface Vlan100 description USER DEVICES ip address 192.168.0.1 255.255.254.0 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source list LAN-IP-ACL interface GigabitEthernet0 overload ip route 0.0.0.0 0.0.0.0 192.168.10.254 254 ip route 0.0.0.0 0.0.0.0 192.168.10.254 254 ip route 185.38.150.117 255.255.255.255 GigabitEthernet0 192.168.10.254 ip route 185.38.150.117 255.255.255.255 GigabitEthernet0 dhcp ! ip access-list standard LAN-IP-ACL permit 192.168.0.0 0.0.1.255 ! ip access-list extended NAT deny ip any host 185.38.150.117 permit ip any any ! ! ! ! ! route-map PERFORM-NAT permit 10 match ip address NAT ! ! ! ! ! control-plane ! ! ! ! mgcp profile default ! ! ! ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 password ******* transport input all line vty 1 exec-timeout 60 0 password ******* transport input all line vty 2 4 password ******* transport input all ! end
05-17-2018 08:37 AM
07-29-2018 06:08 AM
hey,
did you managed to get working. i have same problem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide