how to do both PPTP and L2TP/IPsec
in [Cisco]
|
Prev: WANTED TO BUY - NETWORKING, TELECOM EQUIPMENT & SOFTWARE - CISCO, NORTEL, LUCENT, JUNIPER, EXTREME, FOUNDRY, FUJITSU, MICROSOFT, ADOBE, SYMANTEC & MORE
Next: GRE tunnel problem
From: Rob on 27 May 2010 11:10 As I want to migrate our teleworkers from PPTP to L2TP/IPsec I added config for L2TP/IPsec to our router. (IOS 12.4) It was quite easy to get this going, by adding to the existing config: > vpdn-group 2 > ! Default L2TP VPDN group > accept-dialin > protocol l2tp > virtual-template 1 > no l2tp tunnel authentication > ! > crypto dynamic-map vpn-dynamic 10 > description Dynamic map for L2TP > set nat demux > set security-association lifetime seconds 28800 > set transform-set 3des-sha-transp 3des-md5-transp > match address vpn-dynamic > crypto map vpn-4 10 ipsec-isakmp dynamic vpn-dynamic > ip access-list extended vpn-dynamic > permit ip host xx.xx.xx.xx any This worked okay, but because of the access-list the router would no longer accept the PPTP connections, because they match with the access list and messages %CRYPTO-4-RECVD_PKT_NOT_IPSEC are logged. Ok. Back to the drawing board. So I added a secondary IP address to the outside interface ip address xx.xx.xx.yy 255.255.255.240 secondary This address is within our allocated subnet and it routes OK. I changed the access-list above to reflect the new router address and then the original PPTP mode works OK again. But the L2TP/IPsec on the new address does not work... When I trace the external traffic I see: 16:51:20.574373 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.583783 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode) 16:51:20.593903 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.715780 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.870256 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.882573 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode) 16:51:20.986369 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.991128 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode) 16:51:21.146567 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode 16:51:21.156630 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Informational 16:51:21.763894 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode 16:51:23.763766 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode 16:51:27.764078 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode The Main Mode exchange is OK, but the router does not reply to the Quick Mode packets. The following message is then logged: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 188.90.232.174 What could it be? Should it be possible to setup L2TP/IPsec on a secondary address of the external interface? I don't see any mention of the router address anywhere in the config for this feature except in the access list used for the cypto map, and that one I have updated... I'm puzzled.
From: Rob on 28 May 2010 09:35
Rob <nomail(a)example.com> wrote: > As I want to migrate our teleworkers from PPTP to L2TP/IPsec > I added config for L2TP/IPsec to our router. > (IOS 12.4) In the meantime I got it working by using "l2tp security crypto-profile" instead of a static crypto map with match address. |