Velocity Reviews - Computer Hardware Reviews
Home Forums Reviews Guides Newsgroups Register Search
Member Login:

Velocity Reviews > Newsgroups > Computing > Cisco > L2TP / IPSec to Cisco router

Reply
Thread Tools

L2TP / IPSec to Cisco router

 
 
daniel
Guest
Posts: n/a
 
      04-21-2005
Hi,

I successfully configured a Cisco router to accept VPN connections
using L2TP over IPSec. Anyway, I have some behaviour that seems
strange to me. I need to enable logging in the filtering rule that
allows incoming ESP packets. Then everything works fine. If logging is
disabled in this rule key exchange still works fine but the cisco does
not respond to any ESP packets from the client anymore.

access-list 101 permit esp any host 9.9.9.9 NO RESPONSE FROM
CISCO TO ESP PACKETS FROM CLIENT

access-list 101 permit esp any host 9.9.9.9 log WORKS FINE


Any ideas???
 
Reply With Quote
 
 
 
 
liminas_LT
Guest
Posts: n/a
 
      04-22-2005
Can you share your configuration as it was asked time to time on this
group?
 
Reply With Quote
 
 
 
 
daniel
Guest
Posts: n/a
 
      04-22-2005
Here's the Cisco config $(relevant parts):

!----------------------------------------------------------------------------
!version 12.2

hostname Cisco
!
aaa new-model
!
aaa authentication login default local
aaa authentication ppp vpdn group radius
aaa authorization network default group radius
aaa session-id common
ip subnet-zero
no ip source-route
!
vpdn enable
!
vpdn-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
no ftp-server write-enable
!
!
crypto ca trustpoint NetworklabDemoCA
enrollment mode ra
enrollment url http://172.16.4.1:80/certsrv/mscep/mscep.dll
serial-number
ip-address 192.168.0.2
revocation-check none
!
!
crypto ca certificate chain NetworklabDemoCA
certificate 61F92209000000000019
3082066B ........AE1F8E
quit
certificate ca 2927890E737263A64AF4E05E58515BF4
308204A2 ........4861
quit
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set esp-3des-sha-tunnel esp-3des esp-sha-hmac
!
crypto dynamic-map dynvpn 1
set transform-set esp-3des-sha-tunnel
set pfs group2
match address 130
!
!
crypto map extmap 1 ipsec-isakmp dynamic dynvpn
!
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$
ip address 9.9.9.9 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map extmap
!
interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool vpnpool
ppp encrypt mppe 128
ppp authentication ms-chap-v2 vpdn
!
interface Vlan1
description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.2 255.255.255.0
ip access-group 100 in
ip access-group sdm_vlan1_out out
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool vpnpool 10.10.10.0 10.10.10.7
ip classless
ip route 0.0.0.0 0.0.0.0 9.9.9.8
ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended sdm_vlan1_out
remark SDM_ACL Category=1
remark RDP
permit ip 10.10.10.0 0.0.0.7 host 192.168.0.1
permit tcp 10.10.10.0 0.0.0.7 host 192.168.0.1 eq 3389
deny ip any any
logging trap debugging
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 9.9.9.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 192.168.0.1 eq 3389 10.10.10.0 0.0.0.7
log
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any eq isakmp host 9.9.9.9 eq isakmp
access-list 101 permit esp any host 9.9.9.9 log
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host 9.9.9.9 echo-reply
access-list 101 permit icmp any host 9.9.9.9 time-exceeded
access-list 101 permit icmp any host 9.9.9.9 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 130 remark SDM_ACL Category=20
access-list 130 permit udp host 9.9.9.9 any eq 1701
access-list 130 permit udp any eq 1701 host 9.9.9.9
no cdp run
!
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key 7
13171634946917212E3D
radius-server authorization permit missing Service-Type
 
Reply With Quote
 
 
 
Reply

« PRI connectors | Cisco 350 ACU - 128-bit WEP & SSID broadcast disabled at the AP »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 0 02-20-2007 09:00 AM
4506 acting as LNS with L2TP over IPsec and IPsec over L2TP. AM Cisco 1 02-20-2007 07:20 AM
IPsec within L2TP over IPsec - PIX. AM Cisco 0 07-23-2006 10:14 PM
Certificate for Router-To-Router VPN (L2TP/IPsec) IT Boy MCSE 0 11-12-2004 12:48 PM
IPSec vs. L2TP/IPsec vs. PPTP David Cisco 0 01-07-2004 04:03 AM



Advertisments
 


Powered by vBulletin®. Copyright ©2000 - 2013, vBulletin Solutions, Inc..
SEO by vBSEO ©2010, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57