Can't browse over L2TP connection

Unanswered Question
Jul 8th, 2012

Hi guys,

     Been working thru this issue with support and I think we are close but no resolution yet...

Anyways, here is the link we followed:

http://strongvpn.com/forum/viewtopic.php?id=2234

Basically, it's setting up a vpn l2tp connection to a vpn provider to gain a USA address for the virtual-ppp1 interface.  So, no problem getting the tunnel up.  No problem doing a ping / tracert from the various windows clients.  However, we can't browse any websites??????

We sent a wireshark dump to support for them to take a look.  We can do a telnet / browse from the router and cancel it and you can see the html code there, so the router can reach it.  However, no go on the windows clients?

Just thought I would see if anyone else has had this issue.

Thanks for everyone's time.

Jason Friedrich

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
jportugu Sat, 07/14/2012 - 13:22

Hi,

Assuming that you are tunneling all the traffic, you will need to setup a Route map on the Router to route all the traffic from the clients to the Internet to a loopback where the "ip nat inside" command is, then the Router based on the routing table will send this traffic to outside interface where the "ip nat outside" command is, this will allow the translation process and your clients will be able to acccess the Internet.

The MS client is not supposed to use split-tunneling, since they consider it a security risk, however there is a way to force the client to do it and is by clearing the "Use default gateway on remote network" checkbox.

The remote VPN server becomes the default route when the VPN connection becomes active. If you want to keep your current default route instead, you need to change the TCP/IP properties.

BTW, the route-map config looks like this:

interface Loopback0

ip address 2.2.2.1 255.255.255.252

ip nat inside

!

ip local pool my-pool 192.168.25.1 192.168.25.20

ip access-list extended VPN_INTERNET_ACCESS

deny   ip 192.168.25.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.25.0 0.0.0.255 any

!

route-map VPN_INTERNET_ACCESS permit 10

match ip address VPN_INTERNET_ACCESS

set ip next-hop 2.2.2.2

!

ip access-list extended INTERNET_ACCESS

deny   ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255

permit ip 192.168.1.0  0.0.0.255 any

permit ip 192.168.25.0 0.0.0.255 any

ip nat inside source list INTERNET_ACCESS interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0

description Interface connected to the Internet

ip address 10.1.1.1 255.255.255.224

ip nat outside

ip policy route-map VPN_INTERNET_ACCESS

!

interface GigabitEthernet0/1

description LAN interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

I hope it helps

Please rate this post if you find it helpful.

jportugu Mon, 07/16/2012 - 10:31

In addition to my previous post, please check this other option which I forgot (kinda rusty on L2TP/IPsec):

ASA Intercept DHCP:

A DHCP server does not need to be configured. It basically intercepts DHCPINFORM message from the L2TP client and responds with the following parameters:

1   Subnet Mask (from "intercept-dhcp 255.255.255.128 enable")
15  DNS Domain Name (from "split-dns value test.com")
249 Classless Static Route (Microsoft) (from VPN_SPLIT ACL)

The configuration looks like following:


group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_SPLIT
 split-dns value test.com 
 intercept-dhcp 255.255.255.128 enable ---> Same as in the VPN pool.
 address-pools value VPN_POOL
ip local pool VPN_POOL 192.168.10.1-192.168.10.126 mask 255.255.255.128
access-list VPN_SPLIT standard permit 192.168.15.0 255.255.255.0 
access-list VPN_SPLIT standard permit 172.16.1.0 255.255.255.0

In addition uncheck the "Use default gateway on remote network" checkbox in the L2TP client settings.

Please let me know if you have any questions.

Thanks.

j_friedrich Mon, 07/16/2012 - 21:31

Hi Javier,

     Killer suggestion!  I have forwarded the link to Cisco support to help me implement or add ideas or suggestions.  THANKS for getting the ball rolling.  I will post the findings from support.  Wicked!

Thanks for taking the time to reply.

Jason

jportugu Tue, 07/17/2012 - 05:32

Dear Jason,

I am glad to hear that.

Please keep us posted.

Have a good one.

* Please rate any post you find helpful.

j_friedrich Tue, 07/17/2012 - 17:36

Hi Javier,

     One more question for you.  My gigabit 0/1 Interface is the isp interface.  As per the example link I used in the post, the gig0/1 interface includes the following command for the tunnel :

crypto map L2TP-IPSEC

So, given the details you gave me, what if I DON'T want all the traffic to go thru the tunnel?  Will an acl work OR do I have to modify the details you gave me?

I am pretty new at this stuff, but, learning it pretty quick....

Ideas?

Once again, thanks for your time!

Jason

jportugu Tue, 07/17/2012 - 22:27

Hi Jason,

Please refer to my post from Jul 17, 2012 11:24 PM, it actually includes an ACL named VPN_SPLIT, this is the one in charge of defining the specific networks that the VPN client will attempt to reach through the tunnel.

In other words, it splits the traffic.

Keep me posted

Please rate this post if you find it helpful.

j_friedrich Sun, 07/22/2012 - 17:45

Hi Javier,

     Was outta town for a bit..

Anyways, going back to my acl question.  What if I wanted certain traffic, such as web traffic, to use the local isp generated ip, and all other traffic to use the virtual-ppp interface ip?

How would I incorprate it into the vpn-split example you gave me?

Maybe provide an example, and that should get me going.

Once again, THANKS for your input and time!

Jason

jportugu Wed, 07/25/2012 - 06:29

Hi Jason,

Sorry for any delay.

Unfortunately it is not possible to differentiate the traffic, since the client will install the static routes without any protocol / port specification.

Let me know.

Please rate this post if you find it helpful.

jportugu Thu, 07/26/2012 - 12:26

Hi Jason,

I just noticed that you opened a TAC case with one of my teammates about this issue.

Working with him, we enabled full-duplex and speed 1000 on both inside and outside interfaces, also set the MTU value to 1380 and the TCP MSS to 1200 and that allowed Internet access.

* I would recommend to you to contact your ISP because there is a packet-loss issue across the PPP link.

Let me know if you run into any further issues.

Thanks for your time.


Please rate this post if you find it helpful.      

Actions

Login or Register to take actions

This Discussion

Posted July 8, 2012 at 9:01 PM
Stats:
Replies:9 Avg. Rating:
Views:1198 Votes:0
Shares:0
Tags: l2tp, over, can't
+

Related Content

Discussions Leaderboard