Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3043
Views
0
Helpful
2
Replies

Tunnel Internet Traffic Through L2TP/IPsec VPN on Cisco IOS router

Go to solution
cfabbri
Level 1
Level 1

‎01-22-2020 10:29 PM - edited ‎02-21-2020 09:50 PM

Hello:

 

I'm trying to set up a L2TP/IPsec VPN server on my Cisco 1921 router for use with the built-in Windows client.

 

I've based a router configuration off of this document here: https://community.cisco.com/t5/security-documents/l2tp-over-ipsec-on-cisco-ios-router-using-windows-8/ta-p/3142831. I can connect just fine. All of the isakmp and IPsec negotiations work. I can even access resources inside the NAT, but I cannot tunnel all my Internet traffic through the interface. I would like to have that capability.

 

Is it possible to tunnel all internet traffic through the router, and if so, what adjustments can I make to get that to work?

 

running-config:

 

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
enable secret 5 <enable secret>
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
!
dot11 syslog
ip source-route
!
ip cef
ip dhcp excluded-address 192.168.4.1 192.168.4.128
!
ip dhcp pool INSIDE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.4.1
domain-name <dhcp domain-name>
!
ip domain list <domain name>
ip domain name <domain name>
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
username cfabbri privilege 15 password 7 <password>
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 14
!
crypto isakmp policy 20
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp policy 30
encr aes 256
hash sha512
authentication pre-share
group 2
!
crypto isakmp policy 40
encr aes 256
hash sha256
authentication pre-share
group 2
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 14
!
crypto isakmp policy 60
encr aes 256
authentication pre-share
group 2
crypto isakmp key <psk-key> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP-Set2 esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface FastEthernet0/0
ip address 192.168.3.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface FastEthernet0/1
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
peer default ip address pool vpn-pool
ppp authentication ms-chap-v2 VPDN_AUTH
ppp ipcp dns 192.168.4.1
ppp ipcp route default
!
ip local pool vpn-pool 192.168.4.65 192.168.4.126
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip dns server
ip route 0.0.0.0 0.0.0.0 192.168.3.1 254
!
ip access-list extended NAT
permit ip 192.168.4.0 0.0.0.255 any
!
control-plane
!
line con 0
logging synchronous
line aux 0
logging synchronous
line vty 0 4
logging synchronous
transport input all
line vty 5 15
logging synchronous
transport input all
!
scheduler allocate 20000 1000
ntp server 163.237.218.18
ntp server 204.2.134.163
ntp server 159.203.82.102
ntp server 144.34.193.110
end

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cfabbri
Level 1
Level 1

‎01-24-2020 08:01 PM

After trying a bunch of things, I realized I made the simplest of mistakes. I forgot to add "ip nat inside" in the virtual-template interface. I can now do full or split tunneling, depending on the client configuration. I also removed the ppp ipcp statements, as they seemed to mess with the router's default route when the VPN is activated.

 

running-config:

 

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
enable secret 5 <enable secret>
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
!
dot11 syslog
ip source-route
!
ip cef
ip dhcp excluded-address 192.168.4.1 192.168.4.128
!
ip dhcp pool INSIDE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.4.1
domain-name <dhcp domain-name>
!
ip domain list <domain name>
ip domain name <domain name>
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
username cfabbri privilege 15 password 7 <password>
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 14
!
crypto isakmp policy 20
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp policy 30
encr aes 256
hash sha512
authentication pre-share
group 2
!
crypto isakmp policy 40
encr aes 256
hash sha256
authentication pre-share
group 2
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 14
!
crypto isakmp policy 60
encr aes 256
authentication pre-share
group 2
crypto isakmp key <psk-key> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP-Set2 esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface FastEthernet0/0
ip address 192.168.3.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface FastEthernet0/1
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip nat inside
ip virtual-reassembly in
peer default ip address pool vpn-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
ip local pool vpn-pool 192.168.4.65 192.168.4.126
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip dns server
ip route 0.0.0.0 0.0.0.0 192.168.3.1 254
!
ip access-list extended NAT
permit ip 192.168.4.0 0.0.0.255 any
!
control-plane
!
line con 0
logging synchronous
line aux 0
logging synchronous
line vty 0 4
logging synchronous
transport input all
line vty 5 15
logging synchronous
transport input all
!
scheduler allocate 20000 1000
ntp server 163.237.218.18
ntp server 204.2.134.163
ntp server 159.203.82.102
ntp server 144.34.193.110
end

View solution in original post

0 Helpful
2 Replies 2

Go to solution
cfabbri
Level 1
Level 1

‎01-24-2020 08:01 PM

After trying a bunch of things, I realized I made the simplest of mistakes. I forgot to add "ip nat inside" in the virtual-template interface. I can now do full or split tunneling, depending on the client configuration. I also removed the ppp ipcp statements, as they seemed to mess with the router's default route when the VPN is activated.

 

running-config:

 

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
enable secret 5 <enable secret>
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
clock timezone EST -5 0
clock summer-time EDT recurring
!
dot11 syslog
ip source-route
!
ip cef
ip dhcp excluded-address 192.168.4.1 192.168.4.128
!
ip dhcp pool INSIDE
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
dns-server 192.168.4.1
domain-name <dhcp domain-name>
!
ip domain list <domain name>
ip domain name <domain name>
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
username cfabbri privilege 15 password 7 <password>
!
redundancy
!
ip ssh version 2
!
crypto isakmp policy 10
encr aes 256
hash sha512
authentication pre-share
group 14
!
crypto isakmp policy 20
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp policy 30
encr aes 256
hash sha512
authentication pre-share
group 2
!
crypto isakmp policy 40
encr aes 256
hash sha256
authentication pre-share
group 2
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 14
!
crypto isakmp policy 60
encr aes 256
authentication pre-share
group 2
crypto isakmp key <psk-key> address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP-Set2 esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface FastEthernet0/0
ip address 192.168.3.10 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside_map
!
interface FastEthernet0/1
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip nat inside
ip virtual-reassembly in
peer default ip address pool vpn-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
ip local pool vpn-pool 192.168.4.65 192.168.4.126
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip dns server
ip route 0.0.0.0 0.0.0.0 192.168.3.1 254
!
ip access-list extended NAT
permit ip 192.168.4.0 0.0.0.255 any
!
control-plane
!
line con 0
logging synchronous
line aux 0
logging synchronous
line vty 0 4
logging synchronous
transport input all
line vty 5 15
logging synchronous
transport input all
!
scheduler allocate 20000 1000
ntp server 163.237.218.18
ntp server 204.2.134.163
ntp server 159.203.82.102
ntp server 144.34.193.110
end

0 Helpful

Go to solution
racastillo05
Level 1
Level 1
In response to cfabbri

‎03-27-2023 11:13 AM

Man, thank you. Looking at your config file I realized that I needed to add the network segment in the ACL of the WAN interface. I do appreciate your solution.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents