購入する または契約更新する
購入する または契約更新する
キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
次の代わりに検索 
もしかして: 
cancel
投稿メッセージを作成する
1412
閲覧回数
5
いいね!
1
返信

L2TP VPN接続が繋がらない

y.yoshida
Level 1
Level 1

‎2022-01-19 10:47 AM

お客様宅内にC841Mを設置し、上位のお客様SWへ接続してインターネット経由VPNを接続したいです。

また、接続元は私の社内と別会社の社内からの接続。

 

別会社にてC841の配下にサーバーを設置し、そのサーバーでパッチ適用などを可能にしたい。

また別会社からは主系従系2つのWAN側アドレスを頂き、その2つから接続出来る様にして欲しいとのこと。

 

お客様のご要望は送信元IPは/32で制御してほしいとのこと。

 

お客様宅内

サーバー----C841M----上位SWなど~~~インターネット~~~接続元

 

私は実業務でルーターに設定を入れるのが初めてで、VPNは検証もしたことが無かったです。

設定などのご教授下さい。

 

以下Configです。

※IPアドレス、ホスト名、パスワード等はxxxとさせて頂きます。分かりづらい場合はご指摘ください。

※Gi0/8,0/9がWAN側で、Gi0/8が本番用、Gi0/9は社内検証用で現在扱っています。

xxx#show run
Building configuration...

 

Current configuration : 7328 bytes
!
! Last configuration change at 10:23:01 JST Wed Jan 19 2022 by waivpn
!
version 15.6
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no service dhcp
!
hostname xxx
!
boot-start-marker
boot system flash:c800m-universalk9-mz.SPA.156-2.T1.bin
boot system flash:c800m-universalk9-mz.SPA.155-3.M10.bin
boot-end-marker
!
!
logging buffered 512000
enable secret 5 $1$pkO4$F4UAGJLzBZUbPs0x9mvAs0
!
aaa new-model
!
!
aaa authentication login local_access local
aaa authentication ppp default local
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone JST 9 0
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address xxx
!
ip dhcp pool ccp-pool
import all
network xxx
default-router xxx
lease 7
!
!
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
license udi pid C841M-8X-JAIS/K9 sn xxx
!
!
archive
log config
hidekeys
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
xxx
!
object-group network vpn_remote_subnets
any
!
username xxx password 0 xxx
!
redundancy
!
!
!
!
!
track 1 ip sla 1 reachability
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key xxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp keepalive 3600
crypto isakmp profile sdm-ike-profile-1
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set TS1 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
!
!
!
crypto dynamic-map DYN_MAP 10
set nat demux
set transform-set TS1
!
!
crypto map CRYP_MAP 6000 ipsec-isakmp dynamic DYN_MAP
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
!
interface GigabitEthernet0/1
no ip address
!
interface GigabitEthernet0/2
no ip address
!
interface GigabitEthernet0/3
no ip address
!
interface GigabitEthernet0/4
no ip address
!
interface GigabitEthernet0/5
no ip address
!
interface GigabitEthernet0/6
no ip address
!
interface GigabitEthernet0/7
no ip address
!
interface GigabitEthernet0/8
description BackupWANDesc_
ip address xxx
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/9
description PrimaryWANDesc_
ip address xxx
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/9
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/9
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
ip address xxx
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
ip tcp adjust-mss 1412
load-interval 30
!
ip local policy route-map track-primary-if
ip local pool VPN_POOL xxx
ip default-gateway xxx
ip forward-protocol nd
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http path flash:
!
!
ip dns server
ip nat inside source list nat-list interface GigabitEthernet0/9 overload
ip nat inside source route-map nat2backup interface GigabitEthernet0/8 overload
ip nat inside source route-map nat2primary interface GigabitEthernet0/9 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/9 track 1
ip route 0.0.0.0 0.0.0.0 xxx
ip route 0.0.0.0 0.0.0.0 xxx
ip route 0.0.0.0 0.0.0.0 xxx
ip route 0.0.0.0 0.0.0.0 xxx
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/8 253
ip route 8.8.8.8 255.255.255.255 xxx
ip route 8.8.8.8 255.255.255.255 xxx
ip route 8.8.8.8 255.255.255.255 GigabitEthernet0/9
ip route xxx 255.255.0.0 xxx
ip route xxx 255.255.0.0 xxx
ip route xxx 255.255.255.0 xxx
ip route xxx 255.255.255.0 xxx
ip route xxx 255.255.255.0 xxx
ip route xxx 255.255.255.0 xxx
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/9
logging host xxx.xxx.xxx.xxx
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/9
!
route-map nat2primary permit 1
match ip address nat-list
match interface GigabitEthernet0/9
!
route-map nat2backup permit 1
match ip address nat-list
match interface GigabitEthernet0/8
!
!
tftp-server flash:cisco-config-pro-exp-admin-k9-3_5_3-ja.zip
access-list 197 permit icmp any host 8.8.8.8
!
!
!
control-plane
!
!
!
line con 0
login authentication local_access
no modem enable
line vty 0 4
privilege level 15
password xxx
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server pool.ntp.org
!
end

0 いいね!
1件の返信1

Akira Muranaka
Level 8
Level 8

‎2022-01-28 03:20 PM ‎2022-01-28 03:20 PM 更新

既に確認していただいてるかもですが、以下にVPN設定ガイドが公開されてるため、閲覧していただき 設定を試し、うまくつながらない場合は、show logコマンドなどで ログを見てどういうエラーログがでてるか確認と設定修正を繰り返していただくと如何でしょうか。

https://www.cisco.com/c/ja_jp/solutions/small-business/on-premise/product-network/product-841mj.html#~stickynav=4

https://community.cisco.com/t5/%E3%83%8D%E3%83%83%E3%83%88%E3%83%AF%E3%83%BC%E3%82%AF%E3%82%A4%E3%83%B3%E3%83%95%E3%83%A9%E3%82%B9%E3%83%88%E3%83%A9%E3%82%AF%E3%83%81%E3%83%A3-%E3%83%89%E3%82%AD%E3%83%A5%E3%83%A1%E3%83%B3%E3%83%88/%E3%83%AB%E3%83%BC%...

https://www.infraexpert.com/study/study10.html

Customers Also Viewed These Support Documents