08-16-2013 05:37 AM - edited 02-21-2020 07:05 PM
Hi,
First of all, apologies for my lack of awareness. It's hard managing Cisco routers when you are newbie. I am learning Cisco as far as I can.
My issue is that I'm trying to setup a l2tp over ipsec vpn connection in my company in order to provide a secure connection however I was not successfully so far. By the time I establish a connection from my home I get this info from ASA:
> show crypto isakmp sa:
4 IKE Peer: 188.76.164.162
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
> Log Viewer
6 Aug 16 2013 14:11:14 110003 87.216.165.41 500 188.76.164.162 500 Routing failed to locate next hop for UDP from identity:87.216.165.41/500 to outside:188.76.164.162/500
Clientes SO: Windows 7/8 (Services: IKE and AutIP IPSec and IPsec Policy Ageng enabled as well, firewall windows off)
I've tried to find out what’s is wrong making search on google and forums however I couldn’t find the solution.
Attached is my running config.
any help is more than wellcome
Best,
Antonio
Solved! Go to Solution.
08-16-2013 09:55 AM
Hi Antonio,
It is a routing problem in your ASA.
route outside-other 0.0.0.0 0.0.0.0 192.168.4.1 100
route outside-backup 0.0.0.0 0.0.0.0 192.168.0.1 200
But you terminate the VPN at the outside interface (pppoe) which doesn't have a default route to send traffic back to the L2TP client.
Rule of thumb: Have a default route at the same interface where you terminate remote-access VPN.
To make the test from (188.76.164.162) work, you can add the following route:
route outside 188.76.164.162 255.255.255.255 87.216.40.1 1
But such specific route will not be a solution if you expect vpn users to come from different locations. A default route is needed or alternatively you may move the crypto map to the interface which has the default route.
Regards.
Mashal Alshboul
08-16-2013 09:55 AM
Hi Antonio,
It is a routing problem in your ASA.
route outside-other 0.0.0.0 0.0.0.0 192.168.4.1 100
route outside-backup 0.0.0.0 0.0.0.0 192.168.0.1 200
But you terminate the VPN at the outside interface (pppoe) which doesn't have a default route to send traffic back to the L2TP client.
Rule of thumb: Have a default route at the same interface where you terminate remote-access VPN.
To make the test from (188.76.164.162) work, you can add the following route:
route outside 188.76.164.162 255.255.255.255 87.216.40.1 1
But such specific route will not be a solution if you expect vpn users to come from different locations. A default route is needed or alternatively you may move the crypto map to the interface which has the default route.
Regards.
Mashal Alshboul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide