08-31-2021 01:30 PM - edited 08-31-2021 02:59 PM
Hi everyone,
I have this L2TP + IPSEC configuration, I can get authentication but I have no ability to ping the internal class and not even get wan connection.
I've probably made mistakes.
Thanks for your help.
! version 17.3 service timestamps debug datetime msec service timestamps log datetime msec service call-home platform qfp utilization monitor load 80 platform punt-keepalive disable-kernel-core platform hardware throughput crypto 50000 ! hostname Router ! boot-start-marker boot-end-marker ! ! ! aaa new-model ! ! ! ! ! ! ! ! aaa session-id common clock timezone UTC 2 0 ! ! ! ! ! ! ! ip dhcp excluded-address 10.10.10.1 10.10.10.99 ! ip dhcp pool ccp-pool import all network 10.10.10.0 255.255.255.128 default-router 10.10.10.1 dns-server 10.10.10.1 lease 0 2 ! ! ! login on-success log ! ! ! ! ! ! ! subscriber templating ! ! ! ! ! multilink bundle-name authenticated vpdn enable ! vpdn-group l2tp-group ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! no device-tracking logging theft ! ! ! crypto pki trustpoint TP-self-signed-4099755788 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4099755788 revocation-check none rsakeypair TP-self-signed-4098 ! crypto pki trustpoint SLA-TrustPoint enrollment pkcs12 revocation-check crl ! ! ! no license feature hseck9 license udi pid C1127X-8PLTEP sn license boot level securityk9 license smart url https://tools.cisco.com/its/service/oddce/services/DDCEService license smart url smart https://tools.cisco.com/its/service/oddce/services/DDCEService license smart transport callhome memory free low-watermark processor 71830 ! ! ! ! ! object-group network local_lan_subnets 10.10.10.0 255.255.255.128 ! object-group network vpn_remote_subnets 192.168.168.0 255.255.255.0 ! diagnostic bootup level minimal ! spanning-tree extend system-id ! username cisco privilege 15 secret 9 $9$.VFyVFBlpPIigk$LZM0MdxrlOUG/fz.GodgdTfnj3W2i60POesjHWIi9UcWs username vpn password 0 1111111111 ! redundancy mode none ! ! ! ! controller VDSL 0/3/0 operating mode vdsl2 ! ! vlan internal allocation policy ascending ! ! ! ! ! ! ! crypto isakmp policy 1 encryption 3des authentication pre-share group 2 lifetime 3600 crypto isakmp key 1234567890 address 0.0.0.0 ! ! crypto ipsec transform-set l2tp-ipsec-transport-esp esp-3des esp-sha-hmac mode transport ! ! ! crypto dynamic-map my-dynamic-map 1 set nat demux set transform-set l2tp-ipsec-transport-esp ! ! crypto map my-static-map 1 ipsec-isakmp dynamic my-dynamic-map ! ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.168.1 255.255.255.0 ! interface GigabitEthernet0/0/0 no ip address shutdown negotiation auto ! interface GigabitEthernet0/1/0 ! interface GigabitEthernet0/1/1 ! interface GigabitEthernet0/1/2 ! interface GigabitEthernet0/1/3 ! interface GigabitEthernet0/1/4 ! interface GigabitEthernet0/1/5 ! interface GigabitEthernet0/1/6 ! interface GigabitEthernet0/1/7 ! interface ATM0/3/0 no ip address shutdown atm oversubscribe factor 2 ! interface Ethernet0/3/0 no ip address no negotiation auto ! interface Ethernet0/3/0.835 encapsulation dot1Q 835 pppoe enable group global pppoe-client dial-pool-number 1 ! interface Virtual-Template1 ip unnumbered Dialer1 ip nat inside peer default ip address pool l2tp-pool ppp authentication ms-chap-v2 ip virtual-reassembly ! interface Vlan1 ip address 10.10.10.1 255.255.255.128 ip nat inside ip tcp adjust-mss 1452 ip virtual-reassembly ! interface Dialer1 mtu 1492 ip address negotiated ip nat outside encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer-group 1 no cdp enable ppp mtu adaptive ppp authentication chap pap callin ppp chap hostname 1234567890@alicebiz.routed ppp chap password 0 xxxxx ppp pap sent-username 1234567890@alicebiz.routed password 0 xxxxx ppp ipcp dns request crypto map my-static-map ip virtual-reassembly ! ip local pool l2tp-pool 192.168.168.5 192.168.168.10 ip http server ip http authentication local ip http secure-server ip http client source-interface Dialer1 ip forward-protocol nd ip dns server ip nat inside source list nat-list interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! ! ip access-list extended nat-list 10 deny ip object-group local_lan_subnets object-group vpn_remote_subnets 20 permit ip object-group local_lan_subnets any 30 permit ip object-group vpn_remote_subnets any ! ! ! ! ! ! control-plane ! ! line con 0 stopbits 1 line vty 0 4 login transport input telnet ssh line vty 5 15 login transport input telnet ssh ! call-home contact-email-addr profile "CiscoTAC-1" active destination transport-method http ntp master ntp server europe.pool.ntp.org ! ! ! ! ! ! end
08-31-2021 02:18 PM
I can get authentication but I have no ability to ping the internal class and not even get wan connection.
before i read the configuration and advise, please clarity here
when did you mention ping internal means ? Local Lan network where you initiated to connect to a remote network?
or after connecting to a remote network (remote Lan ?)
If you lost the Local network after you connecting the L2TP, you need a split tunnel to access local resources.
Once you clarify this - then i can look the config.
08-31-2021 02:54 PM - edited 08-31-2021 02:55 PM
I cannot ping from 10.10.10.0 to 192.168.168.0 and reverse.
I keep pings from 10.10.10.0 to 8.8.8.8 correctly while I have no ping from 192.168.168.0 to 8.8.8.8
08-31-2021 03:17 PM
explain what is the Local IP, what is remote IP, you need split tunnel i guess here.
08-31-2021 09:54 PM
Local IP 10.10.10.0
Remote IP 192.168.168.0
09-01-2021 12:11 AM
as per the config, you have LAN IP address 10.x.x.x.x and remote access I range 192.168.,x.x , when you connecting the device? what is your Local IP address before connecting to L2vpn ?
09-01-2021 03:09 AM
the class of local ip address before the L2 connection is 192.168.86.0
09-01-2021 10:39 AM
L2TP + IPSec
L2TP is build between LAC and LNS,
IPSec can protect this P2P connection by config IPSec with policy ACL host "ip of LAC initiate the L2TP" host "ip of LNS terminate the L2TP".
so why there is no policy ACL and there is IPSec dyamnic ?
09-02-2021 01:16 PM
thanks for the directions but I am a novice and I was unable to apply the solution, do you have any suggestions for my configuration?
09-02-2021 02:44 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide