L2TP / IPSec to Cisco router

L2TP / IPSec to Cisco router

Post by dani » Fri, 22 Apr 2005 23:40:03



Hi,

I successfully configured a Cisco router to accept VPN connections
using L2TP over IPSec. Anyway, I have some behaviour that seems
strange to me. I need to enable logging in the filtering rule that
allows incoming ESP packets. Then everything works fine. If logging is
disabled in this rule key exchange still works fine but the cisco does
not respond to any ESP packets from the client anymore.

access-list 101 permit esp any host 9.9.9.9       NO RESPONSE FROM
CISCO TO ESP PACKETS FROM CLIENT

access-list 101 permit esp any host 9.9.9.9 log   WORKS FINE

Any ideas???

 
 
 

L2TP / IPSec to Cisco router

Post by liminas_L » Sat, 23 Apr 2005 17:09:46


Can you share your configuration as it was asked time to time on this
group?

 
 
 

L2TP / IPSec to Cisco router

Post by dani » Sat, 23 Apr 2005 23:26:32


Here's the Cisco config $(relevant parts):

!----------------------------------------------------------------------------
!version 12.2

hostname Cisco
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp vpdn group radius
aaa authorization network default group radius
aaa session-id common
ip subnet-zero
no ip source-route
!
vpdn enable
!
vpdn-group l2tpvpn
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
no ftp-server write-enable
!
!
crypto ca trustpoint NetworklabDemoCA
 enrollment mode ra
 enrollment url http://172.16.4.1:80/certsrv/mscep/mscep.dll
 serial-number
 ip-address 192.168.0.2
 revocation-check none
!
!
crypto ca certificate chain NetworklabDemoCA
 certificate 61F92209000000000019
  3082066B ........AE1F8E
  quit
 certificate ca 2927890E737263A64AF4E05E58515BF4
  308204A2 ........4861
  quit
!
!
crypto isakmp policy 1
 encr 3des
 group 2
!
!
crypto ipsec transform-set esp-3des-sha-tunnel esp-3des esp-sha-hmac
!
crypto dynamic-map dynvpn 1
 set transform-set esp-3des-sha-tunnel
 set pfs group2
 match address 130
!
!
crypto map extmap 1 ipsec-isakmp dynamic dynvpn
!
!
interface FastEthernet0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 9.9.9.9 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map extmap
!
interface Virtual-Template1
 ip unnumbered FastEthernet0
 peer default ip address pool vpnpool
 ppp encrypt mppe 128
 ppp authentication ms-chap-v2 vpdn
!
interface Vlan1
 description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.0.2 255.255.255.0
 ip access-group 100 in
 ip access-group sdm_vlan1_out out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool vpnpool 10.10.10.0 10.10.10.7
ip classless
ip route 0.0.0.0 0.0.0.0 9.9.9.8
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended sdm_vlan1_out
 remark SDM_ACL Category=1
 remark RDP
 permit ip 10.10.10.0 0.0.0.7 host 192.168.0.1
 permit tcp 10.10.10.0 0.0.0.7 host 192.168.0.1 eq 3389
 deny   ip any any
logging trap debugging
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 9.9.9.0 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 192.168.0.1 eq 3389 10.10.10.0 0.0.0.7
log
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq isakmp host 9.9.9.9 eq isakmp
access-list 101 permit esp any host 9.9.9.9 log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 9.9.9.9 echo-reply
access-list 101 permit icmp any host 9.9.9.9 time-exceeded
access-list 101 permit icmp any host 9.9.9.9 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 130 remark SDM_ACL Category=20
access-list 130 permit udp host 9.9.9.9 any eq 1701
access-list 130 permit udp any eq 1701 host 9.9.9.9
no cdp run
!
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key 7
13171634946917212E3D
radius-server authorization permit missing Service-Type

 
 
 

1. Windows XP native l2tp/ipsec client to cisco router

Hello
do you have som link or example, how to configure cisco router to accept
L2TP over IPSEC tunel from Windows Xp native client?

Thanx
Rasto

--
        ~ Samba, more than a low cost File and Printer server ~

             -- Let us OpenSource --

-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
-----==  Over 100,000 Newsgroups - 19 Different Servers! =-----

2. Common Interest Network Information Center Society Root Sync Report Mon Aug 27 05:50:48 EDT 2001

3. WinXP Pro Client -> Cisco IOS router L2TP/IPSec Pre-Shared Key Tutorial?!

4. (Q)Omniback and Sun DLT 7000

5. 101 question - L2TP and L2TP over IPSec

6. Bit Banging on PIC16f876

7. IPSec vs. L2TP/IPsec vs. PPTP

8. How big? How shipped?

9. L2TP-IPSec VPN through a Linksys Router

10. Win2000 to Cisco using L2TP & IPSEC?

11. IPsec over L2TP between Cisco IOS and Windows 2000

12. w2k client --> cisco pix l2tp ipsec vpn

13. Cisco VPN 3000 to Windows 2000 Server L2TP/IPsec Tunnel?