l2tp only working on egress interface

ttecs · ‎07-05-2018

I have a rather weird problem with l2tp.

I have begun implementing l2tp into all of my edge routers so users of iphones can vpn in when hot spotting.

As a number of the services are DHCP on the ISP side (yay NBN Australia) I was setting the l2tp to connect to a public IP on a separate port or vlan but it does not work.

Put it on the egress port and all is good.

examples below:

username fred secret fred12345
enable secret fred4567
aaa new-model
aaa authentication ppp VPDN_AUTH local
aaa authorization network VPDN_AUTH local if-authenticated
vpdn enable
vpdn-group L2TP
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
lcp renegotiation always
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
hash sha
lifetime 86400
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set MS_IPSEC esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map MS_MAP 1
set nat demux
set transform-set MS_IPSEC
!
crypto map L2TP_MAP 6000 ipsec-isakmp dynamic MS_MAP
!
interface Virtual-Template1
ip unnumbered Loopback2
peer default ip address pool L2TP_POOL
ppp authentication pap chap ms-chap ms-chap-v2 VPDN_AUTH
ppp mtu adaptive
!
interface Loopback2
ip address 192.168.123.254 255.255.255.255
ip local pool L2TP_POOL 192.168.123.21 192.168.123.30
interface GigabitEthernet0/0
ip address 203.203.203.1 255.255.255.248
ip nat outside
crypto map L2TP_MAP
interface GigabitEthernet0/1
ip address 172.16.0.254 255.255.255.0
ip nat inside
controller VDSL 0/1/0
firmware filename flash:VA_A_39d_B_38h3_24h_1.bin
interface Ethernet0/1/0
ip address dhcp
ip virtual-reassembly in
ip tcp adjust-mss 1460

This does not work but if I move the crypto map L2TP_MAP from g0/0 to e0/1/0 as in

Interface Ethernet0/1/0
ip address dhcp
ip virtual-reassembly in
ip tcp adjust-mss 1460

crypto map L2TP_MAP

it works great but on the "wrong" IP

This is a 1941 running 15.4 and VDSL2. I have played about on various different routers with different versions of IOS (887,1801,2911, 2951) and tried vlans as well as single physical ports but unless the crypto map is on the egress interface is just sits there doing nothing.

Obviously I am missing something so in the words of the late great Carrie Fisher, "help me Obi-wan Kenobi, you're my only hope"

ttecs · ‎07-10-2018

Well 6 days, 110 views and no one has replied.

That is a bit disappointing.

I did not think this was such a difficult question.

a.alekseev · ‎07-10-2018

Crypto map MUST be on egress interface by design.
But you can try the command

crypto map L2TP_MAP local-address g0/0

ttecs · ‎07-11-2018

No unfortunately it will not accept that command.

The only option was redundancy.

a.alekseev · ‎07-12-2018

R49(config)#crypto map L2TP_MAP ?
  <1-65535>       Sequence to insert into crypto map entry
  client          Specify client configuration settings
  gdoi            Configure crypto map gdoi features
  isakmp          Specify isakmp configuration settings
  isakmp-profile  Specify isakmp profile to use
  local-address   Interface to use for local address for this crypto map
  redundancy      High availability options for this map

a.alekseev · ‎07-11-2018

What options do you have "crypto map L2TP_MAP ?"

ttecs · ‎07-15-2018

Yes have those options but unfortunately it still does not work.

It will not accept within the interface config and outside the interface config it does not work.

I

a.alekseev · ‎07-15-2018

Show the current config and output for "debug crypto isakmp" when the client is trying to connect

a.alekseev · ‎07-16-2018

you can also add this to your config
vpdn-group L2TP
source-ip 203.203.203.1