cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1109
Views
0
Helpful
6
Replies

L2PT passthrough together with site-to-site IPSec tunnels on Cisco 2921?

aleksa
Level 1
Level 1

Hi all,

I may have a stupid question, but could you run, in parallel,

  • existing site-to-site IPSec tunnels and
  • add L2PT passthrough configuration to it?

In other words, client already has IPSec site-to-site tunnels, but would need to terminate Client VPN-s, preferably L2PT/IPSec on Windows server behind the router.

Challenge is: Existing IPSec tunnels use UDP 500.

L2PT Passthrough would need to port forward (dest NAT) the same UDP 500.

The only way I can see this happening, maybe to use some sort of access list and deny port forwarding of UDP 500 for static public IP addresses of already existing IPSec VPN tunnels...

Anyone had experience doing this?

Any configuration examples to recommend?

Many thanks

1 Accepted Solution

Accepted Solutions

You wouldn't do that.  You would use the router as a firewall.

View solution in original post

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

You could terminate both on the Cisco 2921. It is not likely to be reliable (as in not likely to work) trying to do pass through.

Hi Philip,

thanks for getting back.

We considered getting another public IP, assigning it to a loopback interface, do proxy-arp and avoid existing tunnels and L2PT passthrough clashing on UDP port 500.

I'm now reading articles about public IP-s on loopback...

You could also get a /30 and have it routed to your 2921.  Then plug the server directly into a spare interface on your 2921, and give the server a public IP directly.

Hi Philip,

possible, but not sure how many people would expose a Windows machine to the Internet on all ports...

Cheers,

Alex

You wouldn't do that.  You would use the router as a firewall.

aleksa
Level 1
Level 1

!!!!! SOLVED !!!!!!

Actual solution to this problem is described in another article:

https://supportforums.cisco.com/discussion/13261916/l2tpipsec-passthrough-c2921-issues