08-11-2008 03:02 AM - edited 02-21-2020 03:52 PM
I try add L2TP to an existing Cisco 1812 router configuration to allow standard Windows/Mac/iPhone L2TP clients to connect to the LAN. Currently the router is configured for incoming Cisco VPN Client connections and also has two static IPSec tunnels set up.
The starting point is basically this isakmp/ipsec configuration:
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key key1 address 1.2.3.4 no-xauth
crypto isakmp key key2 address 2.3.4.5 no-xauth
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group vpngroup
key key3
dns 10.0.0.3
wins 10.0.0.3
pool dynpool
acl 150
!
!
crypto ipsec transform-set transform1 esp-3des esp-sha-hmac
crypto ipsec transform-set 3DEStu esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set transform1
!
!
crypto map map11 client authentication list userlist
crypto map map11 isakmp authorization list vpngroup
crypto map map11 client configuration address respond
crypto map map11 11 ipsec-isakmp
set peer 1.2.3.4
set transform-set transform1
set pfs group1
match address 111
crypto map map11 20 ipsec-isakmp
set peer 2.3.4.5
set transform-set 3DEStu
match address 141
crypto map map11 30 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Tunnel0
ip address 192.168.1.1 255.255.255.0
keepalive 10 3
tunnel source Dialer0
tunnel destination 1.2.3.4
crypto map map11
!
interface Tunnel1
ip address 3.4.5.6 255.255.255.252
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1420
no ip mroute-cache
keepalive 10 3
tunnel source Dialer0
tunnel destination 2.3.4.5
crypto map map11
!
Dialer0 is the internet connection and also has map11 set.
interface Dialer0
...
crypto map map11
!
So far it is working fine. Now I have to support incoming L2TP connections in this configuration. I roughly followed this document:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/pt_wnlns.html#wp1060936
and added
vpdn enable
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
ip pmtu
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key key4
!
crypto ipsec transform-set esp-3des-sha-transport esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dynmap 20
set nat demux
set transform-set esp-3des-sha-transport
!
This adds the L2TP transport to the existing dynmap. However, it does not work. From the debug output I gather that it refuses the incoming connections because of the missing XAUTH. It is unclear to me how to allow incoming connections with L2TP without XAUTH while still have other incoming connections with the Cisco VPN client using XAUTH. All L2TP examples I have found on cisco.com only set up L2TP alone not in combination with other incoming client connections or other static VPN tunnels.
Can someone point me into the right direction or even has a working example with static VPN tunnels and incoming L2TP?
08-12-2008 03:30 AM
I think now I got closer. The current configuration looks like this:
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
ip pmtu
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key key1
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key key2 address 1.2.3.4 no-xauth
crypto isakmp key key3 address 2.3.4.5 no-xauth
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group vpngroup
key key4
dns 10.0.0.3
wins 10.0.0.3
pool dynpool
acl 150
crypto isakmp profile ike-vpngroup-profile
match identity group vpngroup
client authentication list userlist
isakmp authorization list vpngroup
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set transform1 esp-3des esp-sha-hmac
crypto ipsec transform-set 3DEStu esp-3des esp-md5-hmac
crypto ipsec transform-set esp-3des-sha-transport esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile vpngroup
set transform-set transform1
set isakmp-profile ike-vpngroup-profile
!
!
crypto dynamic-map dynmap 10
set transform-set transform1
!
crypto dynamic-map l2tpdynmap 10
set nat demux
set transform-set esp-3des-sha-transport
!
!
crypto map map11 11 ipsec-isakmp
set peer 1.2.3.4
set transform-set transform1
set pfs group1
match address 111
crypto map map11 20 ipsec-isakmp
set peer 2.3.4.5
set transform-set 3DEStu
match address 141
crypto map map11 30 ipsec-isakmp dynamic l2tpdynmap
!
The L2TP connection gets authenticated, however,then the debug output shows this, in particular this "map_db_find_best did not find matching map" error. Does anyone know what this error means exactly and how to fix the setup to get a working L2TP connection?
Aug 12 20:20:50: ISAKMP:(2061):Checking IPSec proposal 1
Aug 12 20:20:50: ISAKMP: transform 1, ESP_3DES
Aug 12 20:20:50: ISAKMP: attributes in transform:
Aug 12 20:20:50: ISAKMP: SA life type in seconds
Aug 12 20:20:50: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Aug 12 20:20:50: ISAKMP: SA life type in kilobytes
Aug 12 20:20:50: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
Aug 12 20:20:50: ISAKMP: encaps is 61444 (Transport-UDP)
Aug 12 20:20:50: ISAKMP: authenticator is HMAC-MD5
Aug 12 20:20:50: ISAKMP:(2061):atts are acceptable.
Aug 12 20:20:50: IPSEC(validate_proposal_request): proposal part #1
Aug 12 20:20:50: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= y.y.y.y, remote= x.x.x.x,
local_proxy= y.y.y.y/255.255.255.255/17/1701 (type=1),
remote_proxy= x.x.x.x/255.255.255.255/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Aug 12 20:20:50: map_db_find_best did not find matching map
Aug 12 20:20:50: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity:
{esp-3des esp-md5-hmac }
Aug 12 20:20:50: ISAKMP:(2061): IPSec policy invalidated proposal with error 256
Aug 12 20:20:50: ISAKMP:(2061): phase 2 SA policy not acceptable! (local y.y.y.y remote x.x.x.x)
Aug 12 20:20:50: ISAKMP: set new node 1849049930 to QM_IDLE
Aug 12 20:20:50: ISAKMP:(2061):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2214715136, message ID = 1849049930
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: