03-12-2017 03:35 AM - edited 02-21-2020 09:11 PM
Hi all,
I may have a stupid question, but could you run, in parallel,
In other words, client already has IPSec site-to-site tunnels, but would need to terminate Client VPN-s, preferably L2PT/IPSec on Windows server behind the router.
Challenge is: Existing IPSec tunnels use UDP 500.
L2PT Passthrough would need to port forward (dest NAT) the same UDP 500.
The only way I can see this happening, maybe to use some sort of access list and deny port forwarding of UDP 500 for static public IP addresses of already existing IPSec VPN tunnels...
Anyone had experience doing this?
Any configuration examples to recommend?
Many thanks
Solved! Go to Solution.
03-14-2017 04:39 PM
You wouldn't do that. You would use the router as a firewall.
03-12-2017 11:08 PM
You could terminate both on the Cisco 2921. It is not likely to be reliable (as in not likely to work) trying to do pass through.
03-13-2017 12:26 AM
Hi Philip,
thanks for getting back.
We considered getting another public IP, assigning it to a loopback interface, do proxy-arp and avoid existing tunnels and L2PT passthrough clashing on UDP port 500.
I'm now reading articles about public IP-s on loopback...
03-13-2017 11:00 AM
You could also get a /30 and have it routed to your 2921. Then plug the server directly into a spare interface on your 2921, and give the server a public IP directly.
03-14-2017 04:35 PM
Hi Philip,
possible, but not sure how many people would expose a Windows machine to the Internet on all ports...
Cheers,
Alex
03-14-2017 04:39 PM
You wouldn't do that. You would use the router as a firewall.
03-30-2017 07:53 PM
!!!!! SOLVED !!!!!!
Actual solution to this problem is described in another article:
https://supportforums.cisco.com/discussion/13261916/l2tpipsec-passthrough-c2921-issues
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide