cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
950
Views
0
Helpful
4
Replies

L2TP/IPSEC VPN/NAT Issue

Hello,

I am looking for assistance with the following sample configuration. My issue is that I am trying to use the native Windows XP/Vista vpn client behind a NAT device to connect to the Remote Access VPN. It works fine when the workstation has a "public" IP address in my lab scenario. Would appreciate any insights or assistance that I can get with this configuration:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 512000 debugging

no logging console

no logging monitor

!

clock timezone Eastern -5

aaa new-model

!

!

aaa authentication login default local enable

aaa authentication ppp default local

aaa authentication login default local enable

aaa authentication ppp default local

aaa authorization network default if-authenticated local

aaa session-id common

ip subnet-zero

!

!

ip cef

no ip domain lookup

ip dhcp excluded-address 192.168.66.1 192.168.66.50

!

ip dhcp pool 33

network 192.168.66.0 255.255.255.0

default-router 192.168.66.1

!

ip audit po max-events 100

vpdn enable

!

vpdn-group tdcVPN

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

username dude password xxx

username test password xxx

!

!

!

!

crypto isakmp policy 13

encr 3des

authentication pre-share

group 2

crypto isakmp key tdcVPN_vpn!! address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set tdcset esp-3des ah-sha-hmac

mode transport

!

crypto dynamic-map tdc 13

set transform-set tdcset

!

!

!

!

crypto map tdcvpn 13 ipsec-isakmp dynamic tdc

!

!

interface Ethernet0/0

description WAN

ip address 10.179.79.2 255.255.255.252

ip nat outside

half-duplex

crypto map tdcvpn

!

interface Ethernet0/1

description LAN

ip address 192.168.66.1 255.255.255.0

ip nat inside

half-duplex

!

!

interface Virtual-Template1

ip unnumbered Ethernet0/1

peer default ip address pool vpnpool

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

!

router eigrp 1

network 10.0.0.0

no auto-summary

!

ip local pool vpnpool 192.168.66.250 192.168.66.254

ip nat inside source list 10 interface Ethernet0/0 overload

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

!

!

access-list 10 permit 192.168.66.0 0.0.0.255

!

4 Replies 4

andrew.prince
Level 10
Level 10

What is the config of the device the machine is behind?

it's easy to understand why the pc will work with a public IP. The device it is behind with a private IP needs to be NAT-T compliant or you need to use IPSEC over TCP or UDP.

HTH>

A linksys befw11s4 router with VPN passthrough for IPSEC enabled. Client operating systems tested are XP SP3 and Vista Business. Neither work with the NATting.

Under the dynamic crypto map add the command 'set nat demux' and try that. I have a similar configuration and other than where you are pointing the authentication to (I am using an external Radius server) and pre-shared keys (I am using a certificate) that is the only difference I can see. I have tested my setup with Windows XP/2003 & Windows Mobile 5/6 clients behind a NAT router.

HTH

Andy

Is there any chance I could look at your configuration file? I have a version with "set nat demux" and that's not working. I know there must be some way to get this to work.

Thanks,

Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: