cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14984
Views
0
Helpful
12
Replies

Cisco router as l2tp vpn client

davidfield
Level 3
Level 3

Hello,

I think I'm close to a solution but there is so much info about l2tp that confusion has set in and I can't quite lock it away.

Basically we have a Cisco 877 located at our site and the 3rd party we need to connect to has provided the following l2tp info (note the 3rd party couldn't tell me whether pap or chap)

- Destination IP (LNS)

- username

- user password

- l2tp key

I have the config below and the l2tp tunnel comes up for about 5sec and then drops and doesn't pass traffic.  I've tested the l2tp settings on my ipad and get a nailed up vpn no problem.

It does not appear to get to PPP authentication.  Any pointers greatly appreciated.

Thanks in advance

D

l2tp-class l2tpclass1

hidden

authentication

password "l2tp key"

pseudowire-class pwclass1

  encapsulation l2tpv2

  protocol l2tpv2 l2tpclass1

  ip local interface ATM0.1

interface Virtual-PPP1

  ip address negotiated

  no cdp enable

  ppp authentication chap pap callin

  ppp chap hostname "username"

  ppp chap password 0 "userpassword"

  ppp pap sent-username "username" password 0 "user password"

  pseudowire "Destination ip" 1 pw-class pwclass1

ip route 172.16.X.0 255.255.255.0 Virtual-PPP1

ip access-list 1 permit any

I get below for about 6 seconds and then drops and restarts the session

LocID     RemID Remote Name   State  Remote Address                 Port  Sessions    L2TP Class/ VPDN Group

20148    0                                              wsccrp "Dest IP"                          1701  1                  pwclass1

LocID                     RemID                  TunID      Username, Intf/             State                     Last Chg               Uniq ID

                                                                         Vcid,Circuit

26                           0                           0148      1, Vp1                            wt-cc                    00:00:02               5

debug l2tp all

.Jul 18 21:03:01.885: L2X      6:_____:_____:

.Jul 18 21:03:01.885: L2X      6:_____:_____: APP->L2TP: Session reopen,

.Jul 18 21:03:01.885: L2X      6:_____:_____:            sock 0x87000003

.Jul 18 21:03:01.885: L2X      6:_____:_____:            serv 0x00000000

.Jul 18 21:03:01.885: L2X      6:_____:_____:            data 0x848571A0[92]

.Jul 18 21:03:01.885: L2X      6:_____:_____:

.Jul 18 21:03:01.885: L2TP     6:_____:_____: Create session

.Jul 18 21:03:01.885: L2TP     6:_____:_____:   App type set to XCONNECT

.Jul 18 21:03:01.885: L2TP     6:_____:_____:   Need cc version: V2

.Jul 18 21:03:01.885: L2TP     6:_____:_____:   Session classname pwclass1

.Jul 18 21:03:01.885: L2TP     6:_____:_____:   L2TPoUDP session needed between

.Jul 18 21:03:01.885: L2TP     6:_____:_____:     Src Address:64584<->Dest Address:33091

.Jul 18 21:03:01.885: L2TP     6:_____:_____:   Using ICRQ FSM

.Jul 18 21:03:01.885: L2TP     6:_____:_____:     remote ip set to Dest Address

.Jul 18 21:03:01.885: L2TP     6:_____:_____:     local ip set to Src Address

.Jul 18 21:03:01.885: L2TP     6:_____:_____: no cookies enabled

.Jul 18 21:03:01.889: L2TP     6:_____:_____: FSM-Sn ev App-Conn

.Jul 18 21:03:01.889: L2TP     6:_____:_____: FSM-Sn    Idle->Wt-CC

.Jul 18 21:03:01.889: L2TP     6:_____:_____: FSM-Sn do App-Connect

.Jul 18 21:03:01.889: L2TP     6:_____:_____: Find or create cc for session

.Jul 18 21:03:01.889: L2TP       _____:_____: Find cc between

.Jul 18 21:03:01.889: L2TP       _____:_____:   Src Address<->Dest Address

.Jul 18 21:03:01.889: L2TP       _____:_____:   with class: pwclass1

.Jul 18 21:03:01.889: L2TP       _____:_____:   and IP proto: L2TPoUDP

.Jul 18 21:03:01.889: L2TP       _____:_____:   and framing type: none

.Jul 18 21:03:01.889: L2TP       _____:_____:   and bearer type: none

.Jul 18 21:03:01.889: L2TP       _____:_____:   and version: V2

.Jul 18 21:03:01.889: L2TP       _____:_____: Need to instigate control channel

.Jul 18 21:03:01.889: L2X  tnl   4173 :_____: Create logical tunnel

.Jul 18 21:03:01.889: L2TP tnl   4173 :_____: Create tunnel

.Jul 18 21:03:01.889: L2TP tnl   4173 :_____:     version set to V2

.Jul 18 21:03:01.889: L2TP tnl   4173 :_____:     remote ip set to Dest Address

.Jul 18 21:03:01.889: L2TP tnl   4173 :_____:     local ip set to Src Address

.Jul 18 21:03:01.889: L2TP tnl   4173 :15901:     class name pwclass1

.Jul 18 21:03:01.889: L2TP tnl   4173 :15901: FSM-CC ev Session-Conn

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901: FSM-CC    Idle->Wt-Sock

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901: FSM-CC do Session-Conn-Sock

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901:   Session count now 1

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901:   XCONNECT Session count now 1

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901:   Session PMTU count now 1

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901: Open sock Src Address:1701->Dest Address:1701

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901: FSM-CC ev Sock-Ready

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901: FSM-CC    Wt-Sock->Wt-SCCRP

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901: FSM-CC do Tx-SCCRQ

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901:

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901: O SCCRQ to Dest Address

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901:  IETF v2:

.Jul 18 21:03:01.893: L2TP tnl   4173 :15901:   Protocol Version  1, Revision 0

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:   Framing Cap       none(0x0)

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:   Tie Breaker

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:     7357922076840686660

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:   Firmware Ver      0x1130

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:   Hostname          "R01"

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:   Vendor Name

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:     "Cisco Systems, Inc."

.Jul 18 21:03:01.897: L2TP tnl   4173 :15901:   Assigned Tunnel I 15901

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:   Rx Window Size    256

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:   Challenge         [16]

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:     0xF16995C7D15D82E3A4E58561E30A3725

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:   PPPoE Relay Response Capable

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:   PPPoE Relay Forward Capable

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:  Cisco v2:

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:   PPPoE Relay Forward Capable

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:   PPPoE Relay Response Capable

.Jul 18 21:03:01.901: L2TP tnl   4173 :15901:

.Jul 18 21:03:01.905: L2TP     6:4173 :79   : Session attached

.Jul 18 21:03:01.905: L2TP     6:4173 :79   :

.Jul 18 21:03:01.905: L2TP     6:4173 :79   : APP->L2TP: setup dataplane,

.Jul 18 21:03:01.905: L2TP     6:4173 :79   :            sock 0x87000003

.Jul 18 21:03:01.905: L2TP     6:4173 :79   :            serv 0x00000000

.Jul 18 21:03:01.905: L2TP     6:4173 :79   :            no serv hdl yet; use socket

.Jul 18 21:03:01.905: L2TP     6:4173 :79   :

.Jul 18 21:03:01.905: L2TP     6:4173 :79   : FSM-Sn ev DP-Setup

.Jul 18 21:03:01.905: L2TP     6:4173 :79   : FSM-Sn    in Wt-CC

.Jul 18 21:03:01.905: L2TP     6:4173 :79   : FSM-Sn do Ignore-DP-Setup

.Jul 18 21:03:02.905: L2TP tnl   4173 :15901: O Resend SCCRQ, flg TLS, ver 2, len 161

.Jul 18 21:03:04.905: L2TP tnl   4173 :15901: O Resend SCCRQ, flg TLS, ver 2, len 161

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901: Shutting down tunnel

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:   With 1 session

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:   Result Code

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:     Request to clear control connection

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:   Error Code

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:     Vendor specific

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:   Vendor Error

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:     Tunnel shut

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:   Optional Message

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:     "Too many retransmits to Dest Address"

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901:

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901: FSM-CC ev Shut

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901: FSM-CC    Wt-SCCRP->Wt-STOPACK

.Jul 18 21:03:08.903: L2TP tnl   4173 :15901: FSM-CC do Tx-StopCCN-Error

.Jul 18 21:03:08.903: L2TP     6:4173 :79   : FSM-Sn ev CC-Down

.Jul 18 21:03:08.903: L2TP     6:4173 :79   : FSM-Sn    Wt-CC->Idle

.Jul 18 21:03:08.903: L2TP     6:4173 :79   : FSM-Sn do CC-Down

.Jul 18 21:03:08.903: L2TP     6:4173 :79   :

.Jul 18 21:03:08.903: L2TP     6:4173 :79   : Shutting down session

.Jul 18 21:03:08.903: L2TP     6:4173 :79   :   Result Code

.Jul 18 21:03:08.903: L2TP     6:4173 :79   :     Call disconnected, refer to error msg (2)

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :   Error Code

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :     Vendor specific (6)

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :   Vendor Error

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :     Tunnel shut (1)

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :   Optional Message

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :     "control channel down"

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :

.Jul 18 21:03:08.907: L2TP     6:4173 :79   : FSM-Sn ev Shut

.Jul 18 21:03:08.907: L2TP     6:4173 :79   : FSM-Sn    Idle->Dead

.Jul 18 21:03:08.907: L2TP     6:4173 :79   : FSM-Sn do Destroy

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :

.Jul 18 21:03:08.907: L2TP     6:4173 :79   : APP<-L2TP: disconnect

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :            sock 0x87000003

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :            serv 0x00001002

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :

.Jul 18 21:03:08.907: L2TP     6:4173 :79   : Session down

.Jul 18 21:03:08.907: L2TP     6:4173 :79   :   Src Address<->Dest Address

.Jul 18 21:03:08.907: L2TP     6:4173 :79   : Destroying session

.Jul 18 21:03:08.907: L2TP tnl   4173 :15901: FSM-CC ev Session-Disc

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901: FSM-CC    in Wt-STOPACK

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901: FSM-CC do Session-Disc-Shut

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:   Session count now 0

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:   XCONNECT Session count now 0

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:   Session PMTU count now 0

.Jul 18 21:03:08.911: L2TP     6:_____:_____: Session detached

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901: O StopCCN to Dest Address

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:  IETF v2:

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:   Result Code

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:     Request to clear control connection(2)

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:     Error code

.Jul 18 21:03:08.911: L2TP tnl   4173 :15901:       Vendor specific(6)

.Jul 18 21:03:08.915: L2TP tnl   4173 :15901:     Optional msg

.Jul 18 21:03:08.915: L2TP tnl   4173 :15901:       "Too many retransmits to Dest Address"

.Jul 18 21:03:08.915: L2TP tnl   4173 :15901:   Assigned Tunnel I 15901

.Jul 18 21:03:08.915: L2TP tnl   4173 :15901:  Cisco v2:

.Jul 18 21:03:08.915: L2TP tnl   4173 :15901:   Vendor Error Code

.Jul 18 21:03:08.915: L2TP tnl   4173 :15901:     Error code

.Jul 18 21:03:08.915: L2TP tnl   4173 :15901:       Tunnel shut(1)

.Jul 18 21:03:08.919: L2TP tnl   4173 :15901:

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: FSM-CC ev Shut

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: FSM-CC    in Wt-STOPACK

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: FSM-CC do Shutnow

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: FSM-CC ev Shut-Comp

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: FSM-CC    Wt-STOPACK->Dead

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: FSM-CC do Shutdown-Completed

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: Control channel down

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901:   Src Address<->Dest Address

.Jul 18 21:03:13.918: L2TP tnl   4173 :15901: Destroying tunnel

.Jul 18 21:03:13.918: L2X  tnl   4173 :_____: Destroying logical tunnel

12 Replies 12

Juan Perez
Level 1
Level 1

Hi David,

Is the remote's IP address ("Destination ip") being specified within an static route and pointing it via ATM0.1? We are seding O SCCRQ (Start-Control-Connection-Request) to remote destination but get no Start-Control-Connection-Reply (SCCRP) back, this times out and brings the tunnel down.

Regards.

j_friedrich
Level 1
Level 1

Hi David,

     I sent you a private message.  Just wondering if you found the solution to your post...I am having the EXACT same issue.

Thanks again for your time.

Jason

rizwanr74
Level 7
Level 7

Hi there,

I found this cisco documentation for you.  You might want to check it as reference against your config.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.html#wp1065917

thanks

Rizwan Rafeek

Hi,

     Thx for the link.  I have gone thru it already.  That's why I'm curious if anyone has a 'working' solution for this.

Thanks.

Jason

Please try this.

Under virtual interface, "no peer neighbor-route".

Let me know, if that helps

thanks

Hi,

     Ok.  Will try it.  What about the earlier post from Juan Perez mentioning a static route?  Needed?  As mentioned, my config is virtually identical as the example given.

Thx for the help

I believe there is a already static-route is place as per davidfield very first post.

thanks

Hi,

     Okay, I will try it tonite.  Any other thoughts on why the tunnel won't come up?  My debug l2tp will be identical to what the original post was.

Thx

Hi,

I am having trouble getting the static route going. Can you give me an example of what Juan Perez was implying when stating that a static route should be pointing to the destination ip? A sample would be great....for example, my destination ip is "216.168.3.16"

Thanks.

ip route 216.168.3.16 255.255.255.255 ATM0.1

I hope this help.

Hi,

Thanks. The destination ip address is the VPN server I am logging into, just to clarify. From there, the vpn server-service will give me an ip. So to clarify what is going on here, I wanted to initiate an l2tp tunnel using a vpn service to acquire a US ip. So, i will have a dhcp ip given to me from my local isp. The vpn service, for the l2tp tunnel, once i log in will pass thru dhcp a US ip address to the Virtual-PPP1 interface. So, are we missing something in the l2tp setup at the top OR is the route not set correctly to reflect the dhcp IP that will be assigned to the tunnel. The debug logs are the same as what was generated in the above example.

Maybe this gives a better clarification of what is trying to be accomplished.

Once again, THANKS for the insight and help!

Jason

Your "interface Virtual-PPP1" will become your routing virtual interface.

Yes, this "interface Virtual-PPP1" will have dynamic address assign by your ISP.

Please reference this below thread.

https://supportforums.cisco.com/thread/2084653

Thanks

Rizwan Rafeek

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: