L2TP / IPSec to Cisco router

Discussion in 'Cisco' started by daniel, Apr 21, 2005.

  1. daniel

    daniel Guest

    Hi,

    I successfully configured a Cisco router to accept VPN connections
    using L2TP over IPSec. Anyway, I have some behaviour that seems
    strange to me. I need to enable logging in the filtering rule that
    allows incoming ESP packets. Then everything works fine. If logging is
    disabled in this rule key exchange still works fine but the cisco does
    not respond to any ESP packets from the client anymore.

    access-list 101 permit esp any host 9.9.9.9 NO RESPONSE FROM
    CISCO TO ESP PACKETS FROM CLIENT

    access-list 101 permit esp any host 9.9.9.9 log WORKS FINE


    Any ideas???
    daniel, Apr 21, 2005
    #1
    1. Advertising

  2. daniel

    liminas_LT Guest

    Can you share your configuration as it was asked time to time on this
    group?
    liminas_LT, Apr 22, 2005
    #2
    1. Advertising

  3. daniel

    daniel Guest

    Here's the Cisco config $(relevant parts):

    !----------------------------------------------------------------------------
    !version 12.2

    hostname Cisco
    !
    aaa new-model
    !
    aaa authentication login default local
    aaa authentication ppp vpdn group radius
    aaa authorization network default group radius
    aaa session-id common
    ip subnet-zero
    no ip source-route
    !
    vpdn enable
    !
    vpdn-group l2tpvpn
    ! Default L2TP VPDN group
    accept-dialin
    protocol l2tp
    virtual-template 1
    no l2tp tunnel authentication
    !
    no ftp-server write-enable
    !
    !
    crypto ca trustpoint NetworklabDemoCA
    enrollment mode ra
    enrollment url http://172.16.4.1:80/certsrv/mscep/mscep.dll
    serial-number
    ip-address 192.168.0.2
    revocation-check none
    !
    !
    crypto ca certificate chain NetworklabDemoCA
    certificate 61F92209000000000019
    3082066B ........AE1F8E
    quit
    certificate ca 2927890E737263A64AF4E05E58515BF4
    308204A2 ........4861
    quit
    !
    !
    crypto isakmp policy 1
    encr 3des
    group 2
    !
    !
    crypto ipsec transform-set esp-3des-sha-tunnel esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynvpn 1
    set transform-set esp-3des-sha-tunnel
    set pfs group2
    match address 130
    !
    !
    crypto map extmap 1 ipsec-isakmp dynamic dynvpn
    !
    !
    interface FastEthernet0
    description $FW_OUTSIDE$$ETH-WAN$
    ip address 9.9.9.9 255.255.255.0
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    crypto map extmap
    !
    interface Virtual-Template1
    ip unnumbered FastEthernet0
    peer default ip address pool vpnpool
    ppp encrypt mppe 128
    ppp authentication ms-chap-v2 vpdn
    !
    interface Vlan1
    description $FW_INSIDE$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 192.168.0.2 255.255.255.0
    ip access-group 100 in
    ip access-group sdm_vlan1_out out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    ip local pool vpnpool 10.10.10.0 10.10.10.7
    ip classless
    ip route 0.0.0.0 0.0.0.0 9.9.9.8
    ip http server
    ip http authentication local
    ip http secure-server
    !
    !
    !
    ip access-list extended sdm_vlan1_out
    remark SDM_ACL Category=1
    remark RDP
    permit ip 10.10.10.0 0.0.0.7 host 192.168.0.1
    permit tcp 10.10.10.0 0.0.0.7 host 192.168.0.1 eq 3389
    deny ip any any
    logging trap debugging
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip 9.9.9.0 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit tcp host 192.168.0.1 eq 3389 10.10.10.0 0.0.0.7
    log
    access-list 100 permit ip any any log
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit udp any eq isakmp host 9.9.9.9 eq isakmp
    access-list 101 permit esp any host 9.9.9.9 log
    access-list 101 deny ip 192.168.0.0 0.0.0.255 any
    access-list 101 permit icmp any host 9.9.9.9 echo-reply
    access-list 101 permit icmp any host 9.9.9.9 time-exceeded
    access-list 101 permit icmp any host 9.9.9.9 unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 130 remark SDM_ACL Category=20
    access-list 130 permit udp host 9.9.9.9 any eq 1701
    access-list 130 permit udp any eq 1701 host 9.9.9.9
    no cdp run
    !
    radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 key 7
    13171634946917212E3D
    radius-server authorization permit missing Service-Type
    daniel, Apr 22, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    IPSec vs. L2TP/IPsec vs. PPTP

    David, Jan 7, 2004, in forum: Cisco
    Replies:
    0
    Views:
    6,768
    David
    Jan 7, 2004
  2. IT Boy
    Replies:
    0
    Views:
    837
    IT Boy
    Nov 12, 2004
  3. AM
    Replies:
    0
    Views:
    640
  4. AM
    Replies:
    1
    Views:
    545
  5. AM
    Replies:
    0
    Views:
    444
Loading...

Share This Page