Re: route for L2TP/IPsec client on ISR4431

alex_bsb_by · ‎07-01-2021

Hello everyone!

Have such L2TP/IPsec config:

aaa new-model

aaa authentication ppp L2TP local
aaa authorization network L2TP local

ip dhcp excluded-address 10.1.1.1
!
ip dhcp pool L2TP_CLIENT_POOL
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
option 249 hex 2017.3d23.120a.2665.01
dns-server 8.8.8.8

vpdn enable
!
vpdn-group l2tp_group
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
no l2tp tunnel authentication

username user password user11

crypto isakmp policy 5
encr aes 256
authentication pre-share
group 20
lifetime 28800

crypto isakmp key PASS address 0.0.0.0 no-xauth

crypto ipsec transform-set L2TP_AES128_SHA esp-aes esp-sha-hmac
mode transport

crypto dynamic-map L2TP_DYNAMIC_MAP 10

set nat demux
set transform-set L2TP_AES128_SHA
match address L2TP_ENCRYPT

crypto map L2TP_MAP local-address Loopback91
crypto map L2TP_MAP 10 ipsec-isakmp dynamic L2TP_DYNAMIC_MAP

interface Loopback91
ip address 15.15.15.15 255.255.255.255

interface Loopback101
ip address 10.1.1.1 255.255.255.255

interface GigabitEthernet0/1
description ***************Internet*interface**********
ip address 14.14.14.14 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp

ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map L2TP_MAP

interface Virtual-Template2
ip unnumbered Loopback101
no ip redirects
no ip unreachables
peer default ip address dhcp-pool L2TP_CLIENT_POOL
ppp authentication chap ms-chap-v2 L2TP
ppp authorization L2TP
ip virtual-reassembly
end

ip access-list extended L2TP_ENCRYPT
permit udp host 15.15.15.15 eq 1701 any

This config work correct on cisco 3925

On isr4431 vpn-connection is established, default route is available but the route is not registered on the remote client via dhcp option 249

Also i tried option 121 and have the same result

Maybe there is another way to register route on the remote client?

balaji.bandi · ‎07-01-2021

the user able to authenticate, but not getting default on windows client

once you connected from the windows device, can you post ipconfig /all and route print

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

alex_bsb_by · ‎07-01-2021

Sorry, I have non-english windows. Use translate for output

C: \ Users \ User> ipconfig / all

Configuring IP for Windows

Computer name. ... ... ... ... ... ... ... ... : DESKTOP-FMIS0NV
Primary DNS suffix. ... ... ... ... ... :
Node type. ... ... ... ... ... ... ... ... ... ... ... ... : Hybrid
IP routing is enabled. ... ... ... : Not
WINS proxy is enabled. ... ... ... ... ... ... : Not

Unknown VPN adapter - VPN Client:

State of the environment. ... ... ... ... ... ... ... : The transmission medium is not available.
DNS-suffix of the connection. ... ... ... ... :
Description. ... ... ... ... ... ... ... ... ... ... ... ... : VPN Client Adapter - VPN
Physical adress. ... ... ... ... ... ... ... ... : 5E-CB-7F-04-21-F2
DHCP is enabled. ... ... ... ... ... ... ... ... ... ... : Yes
Auto tuning is enabled. ... ... ... ... ... : Yes

Ethernet adapter Ethernet:

State of the environment. ... ... ... ... ... ... ... : The transmission medium is not available.
DNS-suffix of the connection. ... ... ... ... :
Description. ... ... ... ... ... ... ... ... ... ... ... ... : Realtek PCIe GbE Family Controller
Physical adress. ... ... ... ... ... ... ... ... : F4-30-B9-8B-3C-23
DHCP is enabled. ... ... ... ... ... ... ... ... ... ... : Not
Auto tuning is enabled. ... ... ... ... ... : Yes

Wireless LAN adapter LAN connection * 1:

State of the environment. ... ... ... ... ... ... ... : The transmission medium is not available.
DNS-suffix of the connection. ... ... ... ... :
Description. ... ... ... ... ... ... ... ... ... ... ... ... : Microsoft Wi-Fi Direct Virtual Adapter
Physical adress. ... ... ... ... ... ... ... ... : 88-78-73-8A-FD-69
DHCP is enabled. ... ... ... ... ... ... ... ... ... ... : Yes
Auto tuning is enabled. ... ... ... ... ... : Yes

Wireless LAN adapter LAN connection * 2:

State of the environment. ... ... ... ... ... ... ... : The transmission medium is not available.
DNS-suffix of the connection. ... ... ... ... :
Description. ... ... ... ... ... ... ... ... ... ... ... ... : Microsoft Wi-Fi Direct Virtual Adapter # 2
Physical adress. ... ... ... ... ... ... ... ... : 8A-78-73-8A-FD-68
DHCP is enabled. ... ... ... ... ... ... ... ... ... ... : Yes
Auto tuning is enabled. ... ... ... ... ... : Yes

PPP l2tp adapter:

DNS-suffix of the connection. ... ... ... ... :
Description. ... ... ... ... ... ... ... ... ... ... ... ... : l2tp
Physical adress. ... ... ... ... ... ... ... ... :
DHCP is enabled. ... ... ... ... ... ... ... ... ... ... : Not
Auto tuning is enabled. ... ... ... ... ... : Yes
IPv4 address. ... ... ... ... ... ... ... ... ... ... ... : 10.1.1.24 (Main)
Subnet mask . ... ... ... ... ... ... ... ... ... : 255.255.255.255
Main gate. ... ... ... ... ... ... ... ... :
DNS servers. ... ... ... ... ... ... ... ... ... ... : 8.8.8.8
NetBios over TCP / IP. ... ... ... ... ... ... ... : Switched on

Wireless LAN adapter Wireless network:

DNS-suffix of the connection. ... ... ... ... :
Description. ... ... ... ... ... ... ... ... ... ... ... ... : Intel (R) Dual Band Wireless-AC 7265
Physical adress. ... ... ... ... ... ... ... ... : 88-78-73-8A-FD-68
DHCP is enabled. ... ... ... ... ... ... ... ... ... ... : Yes
Auto tuning is enabled. ... ... ... ... ... : Yes
Link-local IPv6 address. ... ... : fe80 :: 85be: 6a52: 93ef: f46b% 12 (main)
IPv4 address. ... ... ... ... ... ... ... ... ... ... ... : 192.168.53.98 (Main)
Subnet mask . ... ... ... ... ... ... ... ... ... : 255.255.255.0
The lease has been received. ... ... ... ... ... ... ... ... ... : July 1, 2021 14:59:39
The lease is about to expire. ... ... ... ... ... ... ... ... ... : July 1, 2021 15:59:38 PM
Main gate. ... ... ... ... ... ... ... ... : 192.168.53.58
DHCP server. ... ... ... ... ... ... ... ... ... ... : 192.168.53.58
IAID DHCPv6. ... ... ... ... ... ... ... ... ... ... : 92829811
DUID of DHCPv6 client. ... ... ... ... ... ... : 00-01-00-01-25-69-5D-48-F4-30-B9-8B-3C-23
DNS servers. ... ... ... ... ... ... ... ... ... ... : 8.8.8.8
NetBios over TCP / IP. ... ... ... ... ... ... ... : Switched on

C: \ Users \ User> route print
================================================== =========================
List of interfaces
11 ... 5e cb 7f 04 21 f2 ...... VPN Client Adapter - VPN
3 ... f4 30 b9 8b 3c 23 ...... Realtek PCIe GbE Family Controller
18 ... 88 78 73 8a fd 69 ...... Microsoft Wi-Fi Direct Virtual Adapter
9 ... 8a 78 73 8a fd 68 ...... Microsoft Wi-Fi Direct Virtual Adapter # 2
51 ........................... l2tp
12 ... 88 78 73 8a fd 68 ...... Intel (R) Dual Band Wireless-AC 7265
1 ........................... Software Loopback Interface 1
================================================== =========================

IPv4 route table
================================================== =========================
Active routes:
Network address Network mask Gateway address Interface Metric
0.0.0.0 0.0.0.0 192.168.53.58 192.168.53.98 55
10.0.0.0 255.0.0.0 10.1.1.1 10.1.1.24 46
10.1.1.24 255.255.255.255 On-link 10.1.1.24 301
15.15.15.15 255.255.255.255 192.168.53.58 192.168.53.98 56
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.53.0 255.255.255.0 On-link 192.168.53.98 311
192.168.53.98 255.255.255.255 On-link 192.168.53.98 311
192.168.53.255 255.255.255.255 On-link 192.168.53.98 311
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.53.98 311
224.0.0.0 240.0.0.0 On-link 10.1.1.24 301
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.53.98 311
255.255.255.255 255.255.255.255 On-link 10.1.1.24 301
================================================== =========================
Permanent routes:
Network address Mask Gateway address Metric
0.0.0.0 0.0.0.0 10.1.1.1 Default
================================================== =========================

IPv6 route table
=========================