Solved: Since I've noticed that the

RvdKraats · ‎09-08-2016

Hi All,

My IPSec config is working perfectly, but now I want to add VPN connectivity for a few devices that don't support Cisco's IPSec well.

I've tried Anyconnect/WebVPN SSL, but can't get it to work after more than a week of tinkering, so instead I'd like to try and add L2TP with IPSec functionality to my existing config.

The current IPSec config builds a full VPN tunnel to my ISR, no split tunnel; remote clients get all their webpages through the ISR.

If I look at L2TP examples I notice that a lot of stuff that the L2TP tunnel needs (IPSec-wise) is already there, but I'm having a hard time just adding the lines that just use the existing IPSec config and 'bolt on' the L2TP functionality.

Does someone know what I need to add to make this happen?

Here's my config:

===================================================

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco_1811
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 <password>
enable password <password>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_authen_list local
aaa authorization exec default local
aaa authorization network vpn_author_list local
!
!
aaa session-id common
!
!
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
ip dhcp excluded-address 192.168.0.21 192.168.0.254
!
ip dhcp pool Subnet_0.1
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name home.nl
!
!
ip cef
ip domain name home.nl
no ip igmp snooping
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
no virtual-template subinterface
!
!
username admin privilege 15 secret 5 <password>
username vpn secret 5 <password>
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn_group
key <key>
dns 192.168.0.1
pool vpn_address_pool
max-users 5
netmask 255.255.255.0
crypto isakmp profile vpn_isakmp_profile
match identity group vpn_group
client authentication list vpn_authen_list
isakmp authorization list vpn_author_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set vpn_ipsec_transform esp-aes esp-sha-hmac
!
crypto ipsec profile vpn_ipsec_profile
set transform-set vpn_ipsec_transform
set isakmp-profile vpn_isakmp_profile
!
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
bridge irb
!
!
!
interface FastEthernet0
no ip address
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0.4
description Digital TV VLAN
encapsulation dot1Q 4
bridge-group 4
bridge-group 4 spanning-disabled
!
interface FastEthernet0.6
description Internet VLAN
encapsulation dot1Q 6
pppoe enable group global
pppoe-client dial-pool-number 6
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet2
description Cisco Access Point port
switchport access vlan 6
no cdp enable
!
interface FastEthernet3
description Upstairs subnet port
switchport access vlan 6
no cdp enable
!
interface FastEthernet4
description Livingroom port
switchport access vlan 6
no cdp enable
!
interface FastEthernet5
description Digital TV port
switchport access vlan 4
no cdp enable
spanning-tree portfast
!
interface FastEthernet6
no cdp enable
!
interface FastEthernet7
no cdp enable
!
interface FastEthernet8
no cdp enable
!
interface FastEthernet9
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan6
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile vpn_ipsec_profile
!
interface Vlan1
no ip address
!
interface Vlan4
no ip address
ip flow ingress
ip flow egress
no ip route-cache cef
no ip route-cache
bridge-group 4
bridge-group 4 spanning-disabled
!
interface Vlan6
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
shutdown
!
interface Dialer0
description PPPoE connection
mtu 1492
ip address negotiated
ip access-group block_external_service_requests in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 6
dialer-group 6
no cdp enable
ppp authentication pap callin
ppp pap sent-username <user>@<provider> password 0 <password>
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
ppp ipcp address accept
!
ip local pool vpn_address_pool 192.168.2.1 192.168.2.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.0.2
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 6 interface Dialer0 overload
!
ip access-list extended block_external_service_requests
deny udp any any eq domain
deny tcp any any eq domain
deny tcp any any eq 22
permit ip any any
!
access-list 6 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.1.0 0.0.0.255
access-list 6 permit 192.168.2.0 0.0.0.255
access-list 6 deny any
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
password password
transport input ssh
!
no process cpu extended
no process cpu autoprofile hog
end

=======================================

JP Miranda Z · ‎09-08-2016

Hi RvdKraats,

In this case L2TP is going to require a transform set on transport mode in order to work, right now you have a transform set in tunnel mode which is the default, you can use the following guide to configure it:

https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8

Keep in mind you are going to need a new crypto isakmp client configuration since you can only have one transformed set per ipsec profile.

Hope this info helps!!

Rate if helps you!!

-JP-

View solution in original post

JP Miranda Z · ‎09-08-2016

Hi RvdKraats,

In this case L2TP is going to require a transform set on transport mode in order to work, right now you have a transform set in tunnel mode which is the default, you can use the following guide to configure it:

https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8

Keep in mind you are going to need a new crypto isakmp client configuration since you can only have one transformed set per ipsec profile.

Hope this info helps!!

Rate if helps you!!

-JP-

RvdKraats · ‎09-09-2016

Hi JP,

Appreciate your reply!

I'm reading up on the article.

What I'd like to do is use as much as possible of the existing config...I don't care if the L2TP user uses the same VPN identity and password, uses the same IP pool, etc.

The part I find difficult is how to add and 'shape' the additional info into the config.

For instance, instead of 'crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0', could I add another 'crypto isakmp client configuration group vpn_l2tp_group' block and add a key and additional code in there, or won't that work?

AFAIK it looks like I need another:

- crypto isakmp policy

- crypto isakmp client configuration group

- crypto isakmp profile

- another virtual-template

- crypto ipsec transform-set

Is that correct?

JP Miranda Z · ‎09-09-2016

Hi RvdKraats,

Unfortunately you can't specify the l2tp protocol on a client configuration group, so the L2TP is going to require a completely different configuration that your IPSEC client.

Hope this info helps!!

Rate if helps you!!

-JP-

RvdKraats · ‎09-12-2016

Hi JP,

Seems like it's better to remove the IPSec config altogether, and make a L2TP config from scratch then. I'll try that on an older 871 that I have laying around here.

Thanks so far!

Rene.

RvdKraats · ‎12-09-2016

Since I've noticed that the L2TP solution works with all my devices without any client to install, I'll remove IPSEC and focus on L2TP/IPSEC.

Thanks to JP for the help!

Adding L2TP 'functionality' to my existing IPSEC config; IOS 12.4, 1811 ISR.