Need Help in configure L2TP/IPSEC split tunnel in CIsco Router 3845

sumitkumartiwari · ‎03-28-2020

Hi! Mates,

Greeting for the day hope you all are doing well.

I am facing hard time to configure VPN L2TP/IPSEC Split tunnel in CISCO ISR 3800 please find mention below my router running configuration.

!
! Last configuration change at 07:41:31 CDT Sat Mar 28 2020 by dlesneski
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cox-3845
!
boot-start-marker
boot-end-marker
!
!
logging buffered 4096 informational
logging console informational
enable password 7 1501580F11387865696A
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login USER local
aaa authorization exec default local
aaa authorization network default local
aaa authorization network GROUP local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone CDT -6 0
clock summer-time CDT recurring
!
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
ip cef
!
!
!
!
ip domain name callsplus.local
ip name-server 10.201.1.12
ip name-server 10.201.1.15
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip inspect name firewall dns
ip inspect name firewall ftp
ip inspect name firewall http
ip inspect name firewall icmp
ip inspect name firewall imap
ip inspect name firewall pop3
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall ipsec-msft
ip inspect name firewall sqlnet
ip inspect name firewall https
ip inspect name firewall tftp
ip inspect name firewall msexch-routing
ip inspect name firewall pptp
ip inspect name firewall realaudio
ip inspect name firewall rtsp
ip inspect name firewall ssh
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
vpdn enable
!
vpdn-group l2tp-group
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
license udi pid CISCO3845-MB sn FOC13183KRU
username lbellazin privilege 15 secret 5 $1$uLpw$qQNIQQjRf3pgQLIoE5CI..
username wcarron privilege 15 secret 5 $1$y/Ti$JjsfN/2ky85vs4jFMVFaS0
username dlesneski privilege 15 secret 5 $1$euJf$4vN0NDvodGijyDerurizt.
username test1 password 7 13351601182C55787864041A1B0753
username cpremote1 password 7 03074B1F571F205F5D29485744
username cpremote2 password 7 0205144F59160E325F6E584B56
username cpremote3 password 7 094F5E1D4A151601182C557878
username cpremote4 password 7 094F5E1D4D151601182C557878
username cpremote5 password 7 130607065E1C05393804796166
username cpremote6 password 7 121A1503441B0D17390B757A60
username cpremote7 password 7 1414021F5B142B383708626771
username cpremote8 password 7 13060706531C05393804796166
username cpremote9 password 7 04581B1256314D5D1A39544541
username cpremote10 password 7 00070312550B1B071C326C1F5B4A
username cpremote11 password 7 110A091146431B0D17390B757A60
username cpremote12 password 7 094F5E1D48570713181F247B7977
username cpremote13 password 7 130607065A5F142B383708626771
username cpremote14 password 7 1414021F5D503A2A373B13647040
username cpremote15 password 7 15111B18557F3B253B2015734154
username cpremote16 password 7 15111B18557C3B253B2015734154
username cpremote17 password 7 094F5E1D48520713181F247B7977
username cpremote18 password 7 110A0911464A1B0D17390B757A60
username cpremote19 password 7 070C31581F50090404012B5D5679
username cpremote20 password 7 1414021F5E543A2A373B13647040
!
redundancy
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 30
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key Kuw@!JuK0$3- address 71.41.245.98
crypto isakmp key aD22Tvctuv!9HHQ!. address 71.41.245.99
crypto isakmp key CallsPlus address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map mymap 1
set nat demux
set transform-set myset
reverse-route
crypto dynamic-map mymap 2
set nat demux
set transform-set myset
!
!
crypto map mymap 2 ipsec-isakmp dynamic mymap
!
crypto map vpnmap 120 ipsec-isakmp
set peer 71.41.245.99
set transform-set ESP-AES-256
set pfs group2
match address 120
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 10.201.0.1 255.255.254.0
ip nat inside
no ip virtual-reassembly in
duplex full
speed 1000
media-type rj45
!
interface GigabitEthernet0/1
ip address 72.215.249.149 255.255.255.240
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
duplex full
speed 1000
media-type rj45
crypto map mymap
!
interface FastEthernet0/0/0
no ip address
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2
!
interface Vlan1
description AT&T CID: MLEC 921581 - 877-288-8362 - http://expressticketing.acss.att.com
ip address 209.64.39.130 255.255.255.248
ip nat outside
ip virtual-reassembly in
shutdown
!
ip local pool l2tp-pool 172.16.10.1 172.16.10.20
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat pool att 209.64.39.131 209.64.39.134 netmask 255.255.255.248
ip nat pool cox 72.215.249.146 72.215.249.149 netmask 255.255.255.248 type rotary
ip nat inside source route-map att interface Vlan1 overload
ip nat inside source route-map cox interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.201.0.50 81 72.215.249.149 81 extendable
ip nat inside source static tcp 10.201.0.10 3389 72.215.249.149 3389 extendable
ip nat inside source static tcp 10.201.10.9 5060 72.215.249.149 5060 extendable
ip nat inside source static udp 10.201.10.9 5060 72.215.249.149 5060 extendable
ip nat inside source static tcp 10.201.10.9 5061 72.215.249.149 5061 extendable
ip nat inside source static tcp 10.201.0.50 6036 72.215.249.149 6036 extendable
ip nat inside source static tcp 10.201.10.9 5060 72.215.249.149 7282 extendable
ip nat inside source static udp 10.201.10.9 5060 72.215.249.149 7282 extendable
ip nat inside source static tcp 10.201.0.200 8040 72.215.249.149 8040 extendable
ip nat inside source static tcp 10.201.0.200 8041 72.215.249.149 8041 extendable
ip nat inside source static tcp 10.201.0.50 9008 72.215.249.149 9008 extendable
ip nat inside source static tcp 10.201.0.50 9036 72.215.249.149 9036 extendable
ip route 0.0.0.0 0.0.0.0 72.215.249.145
ip route 0.0.0.0 0.0.0.0 209.64.39.129 10
ip route 10.201.10.0 255.255.255.0 10.201.1.1
ip route 172.16.10.0 255.255.255.0 10.201.1.1
ip route 192.168.1.0 255.255.255.0 10.201.1.1
!
ip access-list extended nonat
deny ip 10.201.1.0 0.0.0.255 host 10.1.18.101
deny ip 10.201.0.0 0.0.0.255 host 10.1.18.101
permit ip 192.168.1.0 0.0.0.255 any
permit ip 10.201.0.0 0.0.0.255 any
permit ip 10.201.10.0 0.0.0.255 any
permit ip 10.201.1.0 0.0.0.255 any
permit ip any any
!
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.200 echo
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.201 echo
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.202 echo
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.203 echo
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.204 echo
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.205 echo
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.206 echo
access-list 101 permit icmp 10.201.1.0 0.0.0.255 host 10.201.0.207 echo
access-list 120 permit ip 10.201.1.0 0.0.0.255 host 10.1.18.101
access-list 120 permit ip 10.201.0.0 0.0.0.255 host 10.1.18.101
access-list 125 permit ip 74.112.0.0 0.0.255.255 any
access-list 125 deny ip 5.101.40.0 0.0.0.255 any
access-list 125 deny ip 45.64.170.0 0.0.0.255 any
access-list 125 deny ip 12.149.38.0 0.0.0.255 any
access-list 125 deny ip 162.250.124.0 0.0.0.255 any
access-list 125 permit tcp any any eq 3389
access-list 125 permit tcp any any eq 1723
access-list 125 permit gre any any
access-list 125 permit udp any any eq isakmp
access-list 125 permit tcp any any eq telnet
access-list 125 permit udp any eq domain any
access-list 125 permit tcp any eq domain any
access-list 125 permit tcp any any established
access-list 125 permit tcp any any eq 7282
access-list 125 permit icmp any any ttl-exceeded
access-list 125 permit tcp any any eq www
access-list 125 permit tcp any any eq 81
access-list 125 permit tcp any any eq 6036
!
!
!
!
route-map att permit 10
match ip address nonat
match interface Vlan1
!
route-map cox permit 10
match ip address nonat
match interface GigabitEthernet0/1
!
snmp-server community private RW
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
password 7 1501580F11387865
line aux 0
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password 7 0017400511495847
transport input telnet ssh
!
scheduler allocate 20000 1000
end

---------------------------------------------------------

I've configured VPN please find mention below configuration

aaa new-model
aaa authentication login default local
aaa authorization network default local
username LBellazin password 7 0107130A550E0A1F205F5D

================================================================
config# ip local pool l2tp-pool 172.16.10.1 172.16.10.20
vpdn enable
vpdn-group l2tp-group
accept-dialin
protocol l2tp
virtual-template 1
exit
no l2tp tunnel authentication
exit
interface virtual-template 1
ip unnumbered G0/0
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2
exit
==================================================================

config#
crypto isakmp policy 1
encryption 3des
hash sha
authentcation pre-shared
group 2
lifetime 3600
exit
crypto isakmp key CallsPlus address 0.0.0.0 0.0.0.0
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
exit

=====================================
config# crypto dynamic-map mymap 1
set nat demux
set transform-set myset
exit
crypto map mymap 1 ipsec-isakmp dynamic mymap
interface g0/0
crypto map mymap

Guys will you please review and let me know what I am missing and how I can split internet traffic and Local LAN traffic.

at the moment when I connect to VPN, I can only able to ping 10.201.0.X subnet not able to ping or access 10.201.1.X &10.201.10.X and also disconnect from the Internet.

when I change the VPN lease IP pool like "IP local pool l2tp-pool 10.201.0.200 10.201.0.230" then I can ping across the network but still not able to access the internet and external or WAN side anything.

Thanks in advance for your reply guys!