L2TP/IPSec Remote Access VPN

netsysadmin · ‎02-02-2010

Hi everyone,

I have a Cisco 2801 router with IOS version 12.4(3e) and C2801-ADVIPSERVICESK9-M.
I configured 2 site-to-site IPSec VPNs between the router & 2 other devices in France & Germany. Then, I configured an L2TP IPSec remote access VPN using pre-shared keys.

I used Windows Vista to connect to the router and set up an L2TP IPSec remote access VPN. Everything was working fine.

Then, one day, we needed to change the ip address of the outside interface from a public address to a private. In order to keep the 2 site-to-site VPNS working, I configured a loopback interface (Loopback0) with the old public IP address. This also worked. However, the remote access VPN is no longer working. I get an error when trying to connect.

Below are the interesting configuration extracts.

Anyone has any idea what could be wrong?

Router config:

!
aaa authentication ppp default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip source-route
ip cef
!
ip inspect name fwInternet-In tcp timeout 14400
ip inspect name fwInternet-In udp timeout 1800
ip inspect name fwInternet-In smtp
ip inspect name fwInternet-In http
ip inspect name fwInternet-In https
ip inspect name fwInternet-In ftp timeout 14400
ip inspect name fwInternet-In fragment maximum 256 timeout 1
ip inspect name fwInternet-Out tcp timeout 14400
ip inspect name fwInternet-Out udp timeout 1800
ip inspect name fwInternet-Out smtp
ip inspect name fwInternet-Out http
ip inspect name fwInternet-Out https
ip inspect name fwInternet-Out ftp timeout 14400
ip inspect name fwInternet-Out fragment maximum 256 timeout 1
vpdn enable
!
vpdn-group RAVPDN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
username user password 7 ***
!
!
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key ***
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 110
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key *** address ipFrance no-xauth
crypto isakmp key *** address ipGermany no-xauth
!
!
crypto ipsec transform-set TS_esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set L2TP_TSET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP_TSET_MD5 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map RAVPN_DYNMAP 10
set nat demux
set transform-set L2TP_TSET
crypto dynamic-map RAVPN_DYNMAP 20
set nat demux
set transform-set L2TP_TSET_MD5
!
!
crypto map mapVPN local-address Loopback0
crypto map mapVPN 10 ipsec-isakmp
set peer ipFrance
set security-association lifetime seconds 43200
set transform-set TS_esp-3des-sha
set pfs group2
match address aclFrance
crypto map mapVPN 20 ipsec-isakmp
set peer ipGermany
set security-association lifetime seconds 43200
set transform-set TS_esp-3des-sha
set pfs group2
match address aclGermany
crypto map mapVPN 100 ipsec-isakmp dynamic RAVPN_DYNMAP
!
!
!
interface Loopback0
ip address ipPublic 255.255.255.248
!
interface Loopback1
ip address 10.10.10.1 255.255.255.255
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 10.0.0.1 255.255.0.0
ip access-group aclFE0/0-In in
no ip redirects
no ip proxy-arp
ip nat inside
ip inspect fwInternet-Out in
!
interface FastEthernet0/1
ip address 192.168.7.2 255.255.255.252
ip access-group aclIncoming in
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect fwInternet-In in
crypto map mapVPN
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool RAVPN_IPPOOL
ppp authentication chap
!
ip local pool RAVPN_IPPOOL 10.7.0.1 10.7.0.10
ip classless
no ip forward-protocol udp bootps
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 192.168.7.1
ip route 10.0.0.0 255.255.0.0 FastEthernet0/0
!
ip http access-class 1
ip nat inside source route-map nonat interface Loopback0 overload
!
ip access-list standard aclVlan0
permit 10.0.0.0 0.0.255.255
deny   any
!
ip access-list extended aclFrance
permit ip 10.6.0.0 0.0.255.255 192.168.160.0 0.0.0.255
ip access-list extended aclFE0/0-In
permit ip 10.0.0.0 0.255.255.255 10.7.0.0 0.0.255.255
permit tcp 10.0.0.0 0.0.255.255 any eq www 443
permit udp 10.0.0.0 0.0.255.255 any eq domain
deny   ip any any log
ip access-list extended aclGermany
permit ip 10.6.0.0 0.0.255.255 192.168.110.0 0.0.0.255
ip access-list extended aclIncoming
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip host 255.255.255.255 any
permit esp any host ipPublic
permit gre any host ipPublic
permit udp any host ipPublic eq isakmp non500-isakmp 1701
deny   ip any any
ip access-list extended aclNAT
deny   ip 10.6.0.0 0.0.255.255 192.168.110.0 0.0.0.255
deny   ip 10.6.0.0 0.0.255.255 192.168.160.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 any
permit ip 10.6.0.0 0.0.255.255 any
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 1 deny   any
!
route-map nonat permit 10
match ip address aclNAT
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class aclVlan0 in
password 7 ***
transport input telnet ssh
!
!
end

parians · ‎04-30-2010

Hi,

Vista VPN not supported with Nat i.e moving public address to loopback has broken your once working config. The VPN termination must be on a public ip address of the router.

Hope this helps,

Regards,

Peter.

netsysadmin · ‎04-30-2010

Hi,

Thanks for your reply.

The interface f0/1 had a public ip address initially and the 2 site-to-site VPNs were functioning normally.

In order to reclaim wasted public IP addresses (because of subnetting), I asked the ISP to change their public IP address into a private one and I changed the IP address on interface f0/1 accordingly.

Then, I created the loopback interface and assigned it the old public IP address of the f0/1 interface and added the following line to the configuration:

crypto map mapVPN local-address Loopback0

The line above tells the router to use the IP address of interface Loopback0 to establish the VPN mapVPN.

Please note that this change did not affect the existing site-to-site VPNs.

However, the remote access VPN seems to have been affected. I'm not 100% sure that the reason for the remote access VPN not working is the change from public to private IP address.

I suppose that the line added above also tells the router to use the IP address of interface Loopback0 to establish the remote access dynamic VPN.

parians · ‎05-02-2010

Hi

Are your sure there is no NAT going on between your VPN client and the

Loopback VPN terminating point? The Microsoft Agile VPN client does not

like NAT at the router however they do have some registry settings they

may help your situation. Have a look at

http://support.microsoft.com/kb/926179

The easiest test would be to put your public address back to its original

location and see if the vpn clients can connect.

Regards,

Peter.

******************************************************************

The information contained in this e-mail and any attachments to it

may be confidential and if you are not the intended recipient, any

interference with, use, disclosure, or copying of this material is

unauthorised and prohibited. If you have received this e-mail in

error, please delete it and notify the sender.

The Reject Shop Limited. ABN 33 006 122 676