Setup VPN for Cisco VPN client, L2TP and static VPN tunnels

Gerald Vogt · ‎08-11-2008

I try add L2TP to an existing Cisco 1812 router configuration to allow standard Windows/Mac/iPhone L2TP clients to connect to the LAN. Currently the router is configured for incoming Cisco VPN Client connections and also has two static IPSec tunnels set up.

The starting point is basically this isakmp/ipsec configuration:

crypto isakmp policy 1

encr 3des

authentication pre-share

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key key1 address 1.2.3.4 no-xauth

crypto isakmp key key2 address 2.3.4.5 no-xauth

crypto isakmp client configuration address-pool local dynpool

!

crypto isakmp client configuration group vpngroup

key key3

dns 10.0.0.3

wins 10.0.0.3

pool dynpool

acl 150

!

crypto ipsec transform-set transform1 esp-3des esp-sha-hmac

crypto ipsec transform-set 3DEStu esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set transform1

!

crypto map map11 client authentication list userlist

crypto map map11 isakmp authorization list vpngroup

crypto map map11 client configuration address respond

crypto map map11 11 ipsec-isakmp

set peer 1.2.3.4

set transform-set transform1

set pfs group1

match address 111

crypto map map11 20 ipsec-isakmp

set peer 2.3.4.5

set transform-set 3DEStu

match address 141

crypto map map11 30 ipsec-isakmp dynamic dynmap

!

interface Tunnel0

ip address 192.168.1.1 255.255.255.0

keepalive 10 3

tunnel source Dialer0

tunnel destination 1.2.3.4

crypto map map11

!

interface Tunnel1

ip address 3.4.5.6 255.255.255.252

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1420

no ip mroute-cache

keepalive 10 3

tunnel source Dialer0

tunnel destination 2.3.4.5

crypto map map11

!

Dialer0 is the internet connection and also has map11 set.

interface Dialer0

...

crypto map map11

!

So far it is working fine. Now I have to support incoming L2TP connections in this configuration. I roughly followed this document:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/pt_wnlns.html#wp1060936

and added

vpdn enable

!

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

ip pmtu

!

crypto keyring L2TP

pre-shared-key address 0.0.0.0 0.0.0.0 key key4

!

crypto ipsec transform-set esp-3des-sha-transport esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map dynmap 20

set nat demux

set transform-set esp-3des-sha-transport

!

This adds the L2TP transport to the existing dynmap. However, it does not work. From the debug output I gather that it refuses the incoming connections because of the missing XAUTH. It is unclear to me how to allow incoming connections with L2TP without XAUTH while still have other incoming connections with the Cisco VPN client using XAUTH. All L2TP examples I have found on cisco.com only set up L2TP alone not in combination with other incoming client connections or other static VPN tunnels.

Can someone point me into the right direction or even has a working example with static VPN tunnels and incoming L2TP?

Gerald Vogt · ‎08-12-2008

I think now I got closer. The current configuration looks like this:

vpdn enable

!

vpdn-group 1

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

ip pmtu

!

crypto keyring L2TP

pre-shared-key address 0.0.0.0 0.0.0.0 key key1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

crypto isakmp key key2 address 1.2.3.4 no-xauth

crypto isakmp key key3 address 2.3.4.5 no-xauth

crypto isakmp client configuration address-pool local dynpool

!

crypto isakmp client configuration group vpngroup

key key4

dns 10.0.0.3

wins 10.0.0.3

pool dynpool

acl 150

crypto isakmp profile ike-vpngroup-profile

match identity group vpngroup

client authentication list userlist

isakmp authorization list vpngroup

client configuration address respond

virtual-template 2

!

crypto ipsec transform-set transform1 esp-3des esp-sha-hmac

crypto ipsec transform-set 3DEStu esp-3des esp-md5-hmac

crypto ipsec transform-set esp-3des-sha-transport esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile vpngroup

set transform-set transform1

set isakmp-profile ike-vpngroup-profile

!

crypto dynamic-map dynmap 10

set transform-set transform1

!

crypto dynamic-map l2tpdynmap 10

set nat demux

set transform-set esp-3des-sha-transport

!

crypto map map11 11 ipsec-isakmp

set peer 1.2.3.4

set transform-set transform1

set pfs group1

match address 111

crypto map map11 20 ipsec-isakmp

set peer 2.3.4.5

set transform-set 3DEStu

match address 141

crypto map map11 30 ipsec-isakmp dynamic l2tpdynmap

!

The L2TP connection gets authenticated, however,then the debug output shows this, in particular this "map_db_find_best did not find matching map" error. Does anyone know what this error means exactly and how to fix the setup to get a working L2TP connection?

Aug 12 20:20:50: ISAKMP:(2061):Checking IPSec proposal 1

Aug 12 20:20:50: ISAKMP: transform 1, ESP_3DES

Aug 12 20:20:50: ISAKMP: attributes in transform:

Aug 12 20:20:50: ISAKMP: SA life type in seconds

Aug 12 20:20:50: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10

Aug 12 20:20:50: ISAKMP: SA life type in kilobytes

Aug 12 20:20:50: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90

Aug 12 20:20:50: ISAKMP: encaps is 61444 (Transport-UDP)

Aug 12 20:20:50: ISAKMP: authenticator is HMAC-MD5

Aug 12 20:20:50: ISAKMP:(2061):atts are acceptable.

Aug 12 20:20:50: IPSEC(validate_proposal_request): proposal part #1

Aug 12 20:20:50: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= y.y.y.y, remote= x.x.x.x,

local_proxy= y.y.y.y/255.255.255.255/17/1701 (type=1),

remote_proxy= x.x.x.x/255.255.255.255/17/1701 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac (Transport-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

Aug 12 20:20:50: map_db_find_best did not find matching map

Aug 12 20:20:50: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity:

{esp-3des esp-md5-hmac }

Aug 12 20:20:50: ISAKMP:(2061): IPSec policy invalidated proposal with error 256

Aug 12 20:20:50: ISAKMP:(2061): phase 2 SA policy not acceptable! (local y.y.y.y remote x.x.x.x)

Aug 12 20:20:50: ISAKMP: set new node 1849049930 to QM_IDLE

Aug 12 20:20:50: ISAKMP:(2061):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2214715136, message ID = 1849049930