Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1818
Views
0
Helpful
3
Replies

config L2TP on cisco router 1841 not working

chittisak411
Level 1
Level 1

‎09-12-2015 11:17 AM

i'm a problem after config L2TP on cisco 1841 but cannot work. i'm tried to use any solution but still it same. pls. see config as below and help to check  to config, NAT, Routing  mistake?

thanks you so much

#################################################################

Router_MAN-WAN#sh run
Router_MAN-WAN#sh running-config
Load for five secs: 7%/0%; one minute: 5%; five minutes: 7%
Time source is NTP, 23:19:32.403 ict Sat Sep 12 2015

Building configuration...

Current configuration : 9051 bytes
!
! Last configuration change at 23:09:29 ict Sat Sep 12 2015
! NVRAM config last updated at 22:37:54 ict Sat Sep 12 2015 by admin
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router_MAN-WAN
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable password 7 01100F175804
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
aaa session-id common
clock timezone ict 7
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
!
ip dhcp pool VLAN100
   network 192.168.20.0 255.255.255.0
   domain-name XXXXX.wifi
   default-router 192.168.20.1
   dns-server XXXX.XXXX
   lease 7
!
ip dhcp pool VLAN200
   network 192.30.1.0 255.255.255.0
   domain-name YYYYY.local
   dns-server XXXXX.XXXX
   default-router 192.30.1.1
   lease 7
!
!
ip cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
!
!
username admin password 7 13040D01135D56796A
username man secret 5 XXXX
username supuer privilege 15 secret 5 XXXXX
archive
 log config
  hidekeys
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key YYYYZZZZ! address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
 mode transport
!         
crypto dynamic-map dyn-map 10
 set nat demux
 set transform-set L2TP-Set2
!
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
!
interface Loopback1
 description loopback for IPsec-pool
 ip address 1.1.1.11 255.255.255.255
!
interface FastEthernet0/0
 description MetroEthernet Link =-
 ip address 58.9.110.23 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 load-interval 30
 speed auto
 full-duplex
 crypto map outside_map
!
interface FastEthernet0/1
 description CISCO C2960
 ip address 192.31.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 speed auto
 full-duplex
 arp timeout 1800
!         
interface Virtual-Template1
 ip unnumbered Loopback1
 peer default ip address pool l2tp-pool
 ppp encrypt mppe 128 required
 ppp authentication ms-chap-v2 VPDN_AUTH
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface FastEthernet0/0 overload
!
no logging trap
access-list 100 permit udp any 1.1.1.0 0.0.0.255 eq isakmp
access-list 100 permit esp any host 1.1.1.0
access-list 100 permit ip 192.30.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 100 permit ip 192.31.2.0 0.0.0.255 any
access-list 100 permit ip any any
access-list 100 permit ip 192.31.1.0 0.0.0.255 any
access-list 100 permit udp any 1.1.1.0 0.0.0.255 eq non500-isakmp
access-list 100 permit ip 1.1.1.0 0.0.0.255 any
!
!

Labels:
0 Helpful
3 Replies 3

pjain2
Cisco Employee
Cisco Employee

‎09-21-2015 08:40 PM

please share the l2tp and the crypto debugs when you are trying to connect from the client:

debug l2tp all

debug crypto isakmp

deb crypto ipsec

0 Helpful

chittisak411
Level 1
Level 1
In response to pjain2

‎09-23-2015 05:48 PM

hi pjain2

thanks you so much, but i'm changed config from L2TP to IPSec  but i' ve a problem when connected to VPN and get an IP address of VPN pool. but cannot access to internal network which are config NAT already. pls.help to check for me.

 

thakns you so much

 

Interface                  IP-Address      OK? Method Status                Protocol
Virtual-Template1          XXX.XXX.XXx     YES TFTP   up                    down

===================================================================

 

my config

  hidekeys
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group Test_VPN
 key XXXX#@123
 dns 123.234.12.22
 domain testvpn.vpn
 pool test_POOL
 acl 102
 max-users 3
crypto isakmp profile vpn-ike-profile-1
   match identity group Test_VPN
   client authentication list vpn-authen_1
   isakmp authorization list vpn-group_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
!
!
!
!
!
!
!
interface FastEthernet0/0
 description -= MetroEthernet
 ip address XX.X.XX.zzz 255.255.255.0
 ip access-group Inside_Access out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 load-interval 30
 speed auto
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 description -= SWITCH CISCO =-
 ip address ZZZ.ZZZ.ZZZZ.ZZZ 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect firewall in
 ip virtual-reassembly
 load-interval 30
 speed auto
 full-duplex
 no cdp enable
 arp timeout 1800
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!
ip local pool test_POOL 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source list 102 interface FastEthernet0/0 overload
!
ip access-list extended Inside_Access
 permit ip XXXX.CCC.cCC.0 0.0.0.255 any
 permit ip CCCC.CCCC.CCCC.0 0.0.0.255 any
 permit ip CC.XXX.xxx.0 0.0.0.255 any
 permit ip any any
 permit ip XXXX.XXX.XXX.0 0.0.0.255 any
 deny   ip any any
ip access-list extended NAT
 deny   ip any any
!
no logging trap
access-list 101 remark [Deny NAT for VPN Clients]=-
access-list 101 deny   ip XXX.XXX.XX.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   ip ZZ.Zz.ZZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark -=[Internet NAT Service]=-
access-list 101 permit ip ZZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZZ.ZZZ.X.0 0.0.0.255 any
access-list 102 remark ==[Cisco VPN Users]==
access-list 102 permit ip ZZ.ZZ.ZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip ZZ.ZZZ.ZZ.0 0.0.0.255 192.168.100.0 0.0.0.255

0 Helpful

pjain2
Cisco Employee
Cisco Employee
In response to chittisak411

‎09-23-2015 09:51 PM

have you added a route for 192.168.100.0/24 subnet in the internal lan to point the traffic back to the router

0 Helpful
Customers Also Viewed These Support Documents