cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
350
Views
0
Helpful
6
Replies
Highlighted
Beginner

L2PT passthrough together with site-to-site IPSec tunnels on Cisco 2921?

Hi all,

I may have a stupid question, but could you run, in parallel,

  • existing site-to-site IPSec tunnels and
  • add L2PT passthrough configuration to it?

In other words, client already has IPSec site-to-site tunnels, but would need to terminate Client VPN-s, preferably L2PT/IPSec on Windows server behind the router.

Challenge is: Existing IPSec tunnels use UDP 500.

L2PT Passthrough would need to port forward (dest NAT) the same UDP 500.

The only way I can see this happening, maybe to use some sort of access list and deny port forwarding of UDP 500 for static public IP addresses of already existing IPSec VPN tunnels...

Anyone had experience doing this?

Any configuration examples to recommend?

Many thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

You wouldn't do that.  You would use the router as a firewall.

View solution in original post

6 REPLIES 6
Highlighted
Advisor

You could terminate both on the Cisco 2921. It is not likely to be reliable (as in not likely to work) trying to do pass through.

Highlighted

Hi Philip,

thanks for getting back.

We considered getting another public IP, assigning it to a loopback interface, do proxy-arp and avoid existing tunnels and L2PT passthrough clashing on UDP port 500.

I'm now reading articles about public IP-s on loopback...

Highlighted

You could also get a /30 and have it routed to your 2921.  Then plug the server directly into a spare interface on your 2921, and give the server a public IP directly.

Highlighted

Hi Philip,

possible, but not sure how many people would expose a Windows machine to the Internet on all ports...

Cheers,

Alex

Highlighted

You wouldn't do that.  You would use the router as a firewall.

View solution in original post

Highlighted
Beginner

!!!!! SOLVED !!!!!!

Actual solution to this problem is described in another article:

https://supportforums.cisco.com/discussion/13261916/l2tpipsec-passthrough-c2921-issues