how to do both PPTP and L2TP/IPsec

Discussion in 'Cisco' started by Rob, May 27, 2010.

  1. Rob

    Rob Guest

    As I want to migrate our teleworkers from PPTP to L2TP/IPsec
    I added config for L2TP/IPsec to our router.
    (IOS 12.4)

    It was quite easy to get this going, by adding to the existing
    config:

    > vpdn-group 2
    > ! Default L2TP VPDN group
    > accept-dialin
    > protocol l2tp
    > virtual-template 1
    > no l2tp tunnel authentication
    > !


    > crypto dynamic-map vpn-dynamic 10
    > description Dynamic map for L2TP
    > set nat demux
    > set security-association lifetime seconds 28800
    > set transform-set 3des-sha-transp 3des-md5-transp
    > match address vpn-dynamic


    > crypto map vpn-4 10 ipsec-isakmp dynamic vpn-dynamic


    > ip access-list extended vpn-dynamic
    > permit ip host xx.xx.xx.xx any


    This worked okay, but because of the access-list the router
    would no longer accept the PPTP connections, because they match
    with the access list and messages %CRYPTO-4-RECVD_PKT_NOT_IPSEC
    are logged.

    Ok. Back to the drawing board.

    So I added a secondary IP address to the outside interface

    ip address xx.xx.xx.yy 255.255.255.240 secondary

    This address is within our allocated subnet and it routes OK.
    I changed the access-list above to reflect the new router address
    and then the original PPTP mode works OK again.

    But the L2TP/IPsec on the new address does not work...
    When I trace the external traffic I see:

    16:51:20.574373 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode)
    16:51:20.583783 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode)
    16:51:20.593903 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode)
    16:51:20.715780 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode)
    16:51:20.870256 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode)
    16:51:20.882573 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode)
    16:51:20.986369 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode)
    16:51:20.991128 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode)
    16:51:21.146567 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode
    16:51:21.156630 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Informational
    16:51:21.763894 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode
    16:51:23.763766 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode
    16:51:27.764078 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode

    The Main Mode exchange is OK, but the router does not reply to the Quick Mode packets.

    The following message is then logged:
    %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 188.90.232.174

    What could it be?
    Should it be possible to setup L2TP/IPsec on a secondary address of the
    external interface?
    I don't see any mention of the router address anywhere in the config for
    this feature except in the access list used for the cypto map, and that one
    I have updated...
    I'm puzzled.
    Rob, May 27, 2010
    #1
    1. Advertising

  2. Rob

    Rob Guest

    Rob <> wrote:
    > As I want to migrate our teleworkers from PPTP to L2TP/IPsec
    > I added config for L2TP/IPsec to our router.
    > (IOS 12.4)


    In the meantime I got it working by using "l2tp security crypto-profile"
    instead of a static crypto map with match address.
    Rob, May 28, 2010
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,764
    David
    Jan 7, 2004
  2. Gary
    Replies:
    2
    Views:
    2,083
  3. AM
    Replies:
    0
    Views:
    640
  4. AM
    Replies:
    1
    Views:
    543
  5. AM
    Replies:
    0
    Views:
    444
Loading...

Share This Page