cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2617
Views
0
Helpful
8
Replies

L2TP over IPSec with Draytek

mario-oliveira
Level 1
Level 1

Hi,

I have a Cisco 7200 and need to establish L2TP over IPSEC session with a Draytek Fly200. Draytek must use L2TP over IPSEC to provide LAN-to-LAN connectivity. IPSEC phase 1 and 2 is ok, L2TP tunnel is also established, but on cloned virtual-access IPCP negotiation is not completed:

*Sep 16 09:50:36.911: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up

L2X_ADJ: Vi3:midchain adj reqd for ip 0.0.0.0, cid 0

*Sep 16 09:50:38.911: Vi3 IPCP: O CONFREQ [REQsent] id 2 len 10

*Sep 16 09:50:38.911: Vi3 IPCP: Address 192.168.176.2 (0x0306C0A8B002)

*Sep 16 09:50:38.911: Vi3 IPCP: Event[Timeout+] State[REQsent to REQsent]

I think my VPDN configuration from Cisco side is not correct, but I cannot find configuration examples for this kind of solution.

Help would be much appreciated.

Thanks, Mario

8 Replies 8

Yudong Wu
Level 7
Level 7

Please add "encap ppp" under "interface Virtual-Template1"

Hi,

PPP is the default encapsulation on virtual-template:

interhost#sh int virtual-template 1   
Virtual-Template1 is down, line protocol is down
Hardware is Virtual Template interface
Interface is unnumbered. Using address of FastEthernet0/0 (213.134.48.45)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set

Any more ideas or suggestions are welcome, because I really need a solution for that.

Thanks, Mario Oliveira

no clue,

You might need run some debug such as "debug ppp neg".

Debug ppp neg attached. Thanks

From the debug, I could see "CONFREQ [REQsent]" but it did not get response from the peer and then timeout.

can you check the log at the other end to see what happens?

Yudong Wu,

Meanwhile, I would to know if I can implement a LAN2LAN solution using L2TP over IPSEC with Cisco. Actually I have that solution working with two Drayteks and I need to swap the aggregator Draytek by Cisco, but I am not sure if it is possible with Cisco and how should I configure the Cisco side.

Because L2TP over IPSec is usually for remote access vpn client, not for LAN-to-LAN vpn tunnel, can I do it with Cisco? And how?

Thanks

L2TP tunnel must be initiated from LAC to LNS. So, in your setup, one site must be a LAC and the other side LNS.

From IPSec perspective, it just encrypte the related L2TP traffic. I attached a Cisco example here.

Yudong Wu,
My configuration from Cisco side is according to the LNS example. Draytek is working as LAC, debugging about ppp negotiation is poor, but I need to check from Draytek side.

Thanks again. Mario