L2TP/IPSec VPN with Sonicwall 2400 and Cisco IOS

Han Zhong Guo · ‎07-09-2013

My datacenter is using a Sonicwall 2400 and my remote branch office is using a Cisco 1841

I am trying to get the Cisco 1841 to connect to my Sonicwall 2400 using L2TP/IPSEC with PSK VPN.

Below is my router config but i still can't get it to work, can some Cisco VPN expert please help me vet through my config and see whether have i configured my 1841 router correctly ?

My preshared key is secretkey and authencation username and password is admin/admin, my sonicwall 2400 is at 42.x.x.x and the Cisco 1841 is at 27.xx.xx.xx

I have tested the Sonicwall L2TP/IPSEC VPN using my laptop Sonicwall VPN client and Android phone and both are working properly.

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service internal

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$iC.V$wihwNREo0D0aXTu7pkmbK/

!

no aaa new-model

no ip source-route

no ip gratuitous-arps

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.10.127 10.10.10.254

!

ip dhcp pool LAN

network 10.10.10.0 255.255.255.0

domain-name local

dns-server 10.10.10.1

default-router 10.10.10.1

!

ip domain name local

ip name-server 165.x.x.x

ip multicast-routing

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

vpdn enable

!

vpdn-group L2TP-VPN

request-dialin

protocol l2tp

pool-member 2

initiate-to ip 42.x.x.x

no l2tp tunnel authentication

!

username admin password 0 admin

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key secretkey address 42.x.x.x

!

crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac

mode transport

!

crypto map L2TP-VPN 10 ipsec-isakmp

set peer 42.x.x.x

set transform-set ESP-AES128-SHA1

match address L2TP-SA-DIALER1

!

interface FastEthernet0/0

ip address 27.xx.xx.xx

duplex auto

speed auto

crypto map L2TP-VPN

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

shutdown

duplex auto

speed auto

!

interface Dialer1

description L2TP-VPN

ip address negotiated

ip mtu 1400

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1360

dialer pool 2

dialer idle-timeout 0

dialer vpdn

dialer-group 2

no cdp enable

ppp chap hostname admin

ppp chap password 0 admin

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

ip http server

no ip http secure-server

!

ip access-list extended L2TP-SA-DIALER1

permit ip any any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

login

!

scheduler allocate 20000 1000

end

Han Zhong Guo · ‎07-09-2013

On my Sonicwall 2400, i am seeing these messages below inside my logs.

28	07/10/2013 11:07:47.208	Warning	VPN IKE	Received packet retransmission. Drop duplicate packet	27.xx.xx.xxx, 29200 (admin)	42.xx.xx.xxx, 4500	VPN Policy: WAN GroupVPN

30	07/10/2013 11:07:37.224	Info	VPN IKE	IKE Responder: Main Mode complete (Phase 1)	27.xx.xx.xxx, 29200 (admin)	42.xx.xx.xxx, 4500	VPN Policy: WAN GroupVPN;AES-128; SH A1; DH Group 2; lifetime=28800 secs
31	07/10/2013 11:07:37.144	Info	VPN IKE	NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device
32	07/10/2013 11:07:37.080	Info	VPN IKE	IKE Responder: Received Main Mode request (Phase 1)	27.xx.xx.xxx, 12783 (admin)	42.xx.xx.xxx, 500