03-23-2016 03:28 AM - edited 02-21-2020 08:44 PM
Hi,
I am trying to set up an L2TP over IPSec Tunnel between a Windows 7 Client and an 1921-SEC IOS Router with 15.3M.
I closely sticked to the configuration provided in the following document (which uses a 26xx router with IOS 12.4):
https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8
The setup is working fine with IOS 15.1M - but with IOS 15.3M or 15.4M I get the windows error message 809, telling me that the remote server is not responding.
Looking at the router, I see that the IPSec SA is correctly set up. But all other related debugs are completely quiet
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on
L2TP:
L2TP errors debugging is on
L2TP events debugging is on
VPN:
VPDN events debugging is on
VPDN errors debugging is on
There is no NAT/PAT or firewall in between router and client - it's a lab with directly connected devices. Nevertheless I tried changing the registry key as recommended by Microsoft, but that didn't change anything.
The VPDN Configuration Guide for 15.4M says:
Client-initiated VPDN tunneling can use the L2TP protocol or the L2TPv3 protocol if the client device is a router. If the client device is a PC, only the PPTP protocol is supported.
Looks like I'm flogging a dead horse...
However, does anybody has a solution to use L2TP on current IOS versions? If not, what would be your recommended alternative?
PPTP is working fine, but it's not secure. Cisco VPN Client is EoL. Using FlexVPN with IKEv2 forces me to buy licenses.
Is there any free secure option for VPN Dial-in on Cisco IOS routers?
03-23-2016 12:44 PM
FlexVPN with IKEv2 does not require any extra licences on a 1921 (over what you must already have to get the crypto going above).
Can you go back to using 15.1 when it worked? I have found 15.4(3)Mx to be a good train for me for many crypto tasks, but I don't use L2TP over IPSec on purpose. I find the lack of split tunnelling too limiting.
If you want to save yourself hours and hours of effort, then just get the AnyConnect licences and use AnyConnect.
03-24-2016 01:47 AM
Thanks for your reply.
IOS downgrade is not an option, since I need some of the newer features.
FlexVPN itself doesn't require licenses - but I suppose the use of AnyConnect does.
This brings me to the last free option of using the built-in Windows IKEv2 VPN client. I'll try it out in the next days... I suppose your assumption "hours and hours of effort" will be totally right, when looking at the howto's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide