cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1481
Views
0
Helpful
2
Replies
Highlighted
Beginner

L2TP/IPSEC passthrough C2921 issues

Hi all,

as my colleague said, PPTP being no longer supported option for Mac users, we can't be alone in the Universe with our issue :-)

Topology is following

Remote W10 computer -- Internet -- C2921 -- W2012 server

We configured L2TP/IPSec passthrough on C2921.

We wanted to use L2TP/IPSec with pre-shared passphrase mode, terminating on LAN W2012 server behind the router.

PPTP and L2TP/IPsec VPN connections work from LAN.

PPTP works from remote machine

L2TP/IPSec doesn't work from remote machine

Cisco router is configured with Loopback public IP, got NAT configured, seems working, will paste below.

Why using loopback - there are existing wokring L-2-L IPSec VPN-s

Remote connections don't work. I did packet capture on both W2012 server and remote W10, I can see exchange of UDP 500 and 4500 packets.

W10 log viewer didn't give me any meaningful error code.

Cisco config (192.168.0.16 is W2012 server):

RTR#sh ip nat translations 
Pro Inside global Inside local Outside local Outside global
...
tcp <Gi0/0_IP>:63123 192.168.0.15:63123 178.255.155.115:5938 178.255.155.115:5938
esp <Loopb_IP>:0 192.168.0.16:0 --- ---
udp <Loopb_IP>:123 192.168.0.16:123 13.79.154.18:123 13.79.154.18:123
udp <Loopb_IP>:500 192.168.0.16:500 <RemoteW10_IP>:42734 <RemoteW10_IP>:42734
udp <Loopb_IP>:500 192.168.0.16:500 --- ---
udp <Loopb_IP>:1701 192.168.0.16:1701 --- ---
udp <Loopb_IP>:4500 192.168.0.16:4500 <RemoteW10_IP>:42736 <RemoteW10_IP>:42736
udp <Loopb_IP>:4500 192.168.0.16:4500 --- ---
gre <Loopb_IP>:14375 192.168.0.16:14375 <RemoteW10_IP>:14375 <RemoteW10_IP>:14375
udp <Loopb_IP>:53580 192.168.0.16:53580 139.130.4.4:53 139.130.4.4:53
...

interface Loopback7
ip address <Loopb_IP> 255.255.255.252 - this is public IP address
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0
description ISP_UPLINK
ip address <Gi0/0_IP> 255.255.255.252 - Public IP
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
crypto map CRYPTO_MAP <-- for site-to-site IPSec tunnels
!
interface GigabitEthernet0/1
description LAN
ip address 192.168.0.254 255.255.255.0
ip helper-address 192.168.0.1
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source list VPN_SERV interface Loopback7 overload
ip nat inside source static esp 192.168.0.16 interface Loopback7
ip nat inside source static udp 192.168.0.16 500 <Loopb_IP> 500 extendable
ip nat inside source static udp 192.168.0.16 1701 <Loopb_IP> 1701 extendable
ip nat inside source static tcp 192.168.0.16 1723 <Loopb_IP> 1723 extendable
ip nat inside source static udp 192.168.0.16 4500 <Loopb_IP> 4500 extendable

ip nat inside source static tcp 192.168.0.5 21 <Gi0/0_IP> 21 extendable
ip nat inside source static tcp 192.168.0.17 81 <Gi0/0_IP> 81 extendable
ip nat inside source static tcp 192.168.0.10 8016 <Gi0/0_IP> 8016 extendable
ip nat inside source static tcp 192.168.0.10 8116 <Gi0/0_IP> 8116 extendable
ip nat inside source static tcp 192.168.0.10 8200 <Gi0/0_IP> 8200 extendable
ip nat inside source static tcp 192.168.0.10 8201 <Gi0/0_IP> 8201 extendable
ip nat inside source static tcp 192.168.0.10 10019 <Gi0/0_IP> 10019 extendable


ip route 0.0.0.0 0.0.0.0 <Gi0/0_IP>
!
ip access-list extended SITE4
permit ip 192.168.0.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended SITE8
permit ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
ip access-list extended SITE5
permit ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
ip access-list extended SITE1
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended SITE7
permit ip 192.168.0.0 0.0.0.255 192.168.7.0 0.0.0.255
ip access-list extended SITE2
permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended SITE3
permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key KEY address <SITE4>
crypto isakmp key KEY address <SITE8>
crypto isakmp key KEY address <SITE5>
crypto isakmp key KEY address <SITE1>
crypto isakmp key KEY address <SITE7>
crypto isakmp key KEY address <SITE2>
crypto isakmp key KEY address <SITE3>
!
!
crypto ipsec transform-set 3DESHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CLIENT-IPSEC-PROF
set transform-set 3DESHA
!
!
crypto map CRYPTO_MAP 10 ipsec-isakmp
set peer <SITE4>
set transform-set 3DESHA
match address SITE4
crypto map CRYPTO_MAP 15 ipsec-isakmp
set peer <SITE8>
set transform-set 3DESHA
match address SITE4
...
!
ip access-list extended NAT
deny ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
deny ip any 192.168.4.0 0.0.0.255
deny ip any 192.168.5.0 0.0.0.255
deny ip any 192.168.7.0 0.0.0.255
deny ip any 192.168.8.0 0.0.0.255
deny ip any 192.168.254.0 0.0.0.255
deny ip host 192.168.0.16 any
deny ip host <Loopb_IP> any
permit ip any any
ip access-list extended VPN_SERV
deny ip host 192.168.0.16 192.168.4.0 0.0.0.255
deny ip host 192.168.0.16 192.168.8.0 0.0.0.255
deny ip host 192.168.0.16 192.168.5.0 0.0.0.255
deny ip host 192.168.0.16 192.168.1.0 0.0.0.255
deny ip host 192.168.0.16 192.168.7.0 0.0.0.255
deny ip host 192.168.0.16 192.168.2.0 0.0.0.255
deny ip host 192.168.0.16 192.168.3.0 0.0.0.255
permit ip host 192.168.0.16 any

Any thoughts, suggestions?

Many thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Advisor

You can't use LT2P over IPSec pass through and IPSec site to site VPN at the same time - it is the same ports and protocols.

I would suggest you change to using Cisco AnyConnect for remote VPN users.

View solution in original post

2 REPLIES 2
Highlighted
Advisor

You can't use LT2P over IPSec pass through and IPSec site to site VPN at the same time - it is the same ports and protocols.

I would suggest you change to using Cisco AnyConnect for remote VPN users.

View solution in original post

Highlighted
Beginner

!!!!! SOLVED !!!!!!

Hi all,

just an update.

The configuration above is actually working.

Configuration above uses two public IP-s, one for customer's existing site-to-site VPN-s.

The other public IP, being on loopback7, was used for remote users client VPN L2TP/IPSEC.

Reason being, while the site-to-site VPN-s are terminating on Cisco router, 

the client VPN-s are terminating on Windows server behind the router,

both site-to-site and L2TP over IPSec client VPN-s use the same UDP ports 500 and 4500.

In other words, there would be conflict over the above UDP ports if separate public IP-s were not used.

Issue was actually with Windows machines not being able to use NAT-T by default.

Once I configured NAT-T by registry change, as per article below, I got it working without a single change of the above configuration.

https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows-vista-and-in-windows-server-2008