L2TP/IPSEC VPN/NAT Issue

Unanswered Question
Nov 8th, 2008

Hello,

I am looking for assistance with the following sample configuration. My issue is that I am trying to use the native Windows XP/Vista vpn client behind a NAT device to connect to the Remote Access VPN. It works fine when the workstation has a "public" IP address in my lab scenario. Would appreciate any insights or assistance that I can get with this configuration:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 512000 debugging

no logging console

no logging monitor

!

clock timezone Eastern -5

aaa new-model

!

!

aaa authentication login default local enable

aaa authentication ppp default local

aaa authentication login default local enable

aaa authentication ppp default local

aaa authorization network default if-authenticated local

aaa session-id common

ip subnet-zero

!

!

ip cef

no ip domain lookup

ip dhcp excluded-address 192.168.66.1 192.168.66.50

!

ip dhcp pool 33

network 192.168.66.0 255.255.255.0

default-router 192.168.66.1

!

ip audit po max-events 100

vpdn enable

!

vpdn-group tdcVPN

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

username dude password xxx

username test password xxx

!

!

!

!

crypto isakmp policy 13

encr 3des

authentication pre-share

group 2

crypto isakmp key tdcVPN_vpn!! address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set tdcset esp-3des ah-sha-hmac

mode transport

!

crypto dynamic-map tdc 13

set transform-set tdcset

!

!

!

!

crypto map tdcvpn 13 ipsec-isakmp dynamic tdc

!

!

interface Ethernet0/0

description WAN

ip address 10.179.79.2 255.255.255.252

ip nat outside

half-duplex

crypto map tdcvpn

!

interface Ethernet0/1

description LAN

ip address 192.168.66.1 255.255.255.0

ip nat inside

half-duplex

!

!

interface Virtual-Template1

ip unnumbered Ethernet0/1

peer default ip address pool vpnpool

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

!

router eigrp 1

network 10.0.0.0

no auto-summary

!

ip local pool vpnpool 192.168.66.250 192.168.66.254

ip nat inside source list 10 interface Ethernet0/0 overload

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

!

!

access-list 10 permit 192.168.66.0 0.0.0.255

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
matt_fielding2002 Tue, 11/11/2008 - 12:31

A linksys befw11s4 router with VPN passthrough for IPSEC enabled. Client operating systems tested are XP SP3 and Vista Business. Neither work with the NATting.

andrew.butterworth Sun, 11/30/2008 - 05:09

Under the dynamic crypto map add the command 'set nat demux' and try that. I have a similar configuration and other than where you are pointing the authentication to (I am using an external Radius server) and pre-shared keys (I am using a certificate) that is the only difference I can see. I have tested my setup with Windows XP/2003 & Windows Mobile 5/6 clients behind a NAT router.

HTH

Andy

matt_fielding2002 Mon, 12/01/2008 - 07:22

Is there any chance I could look at your configuration file? I have a version with "set nat demux" and that's not working. I know there must be some way to get this to work.

Thanks,

Matt

Actions

This Discussion