Cisco Client through L2TP tunnel possible?

ddawson · ‎09-24-2003

I'm trying to provide virtual direct Internet access for some of our engineers via client initiated, non-encrypted L2TP tunnels from the users' Windows 2K PC's to an Internet connected IOS router so that they can provide support services from their desktops without having to dial their home ISP accounts (we normally have to use proxy servers for all Internet access). The basic idea is to simulate dial-up ISP access with the L2TP dialer interface. It's working fine, except one of the requirements is for VPN client access to various customer sites. We're using the latest 4.0.2 client and it connects and authenticates OK (phase I completes fine), but no encrypted data leaves the users' PC (this was verified with a separate PC running ethereal). The client status display shows discarded packets for all the traffic. DPD packets also fail, which results in the connection terminating after a short time.

Is this even possible? It seems like we're pushing the limits a bit, since the L2TP traffic needs to carry the IPSec traffic, but enabling split tunneling to allow the local L2TP traffic to bypass IPSec doesn't help. Any hints, suggestions, or clarifying information would be greatly appreciated.

Thanks!

drolemc · ‎09-30-2003

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094aca.shtml.The link is a configuration example and describes how to configure L2TP over IPSec from a client to a concentrator.

Also, the compatibility matrix is located at http://www.cisco.com/warp/public/707/cmatrix.shtml

ddawson · ‎09-30-2003

Thanks for the reply, but I don't want to run L2TP through IPSec. I want to bring up an unencrypted L2TP tunnel from my PC to a router on the edge of our network to provide authenticated direct Internet access to a select group of our support engineers. This part works fine. The L2TP tunnel comes up and the PC gets a routable IP address from the pool and the user has direct Internet access that bypasses the usually required proxy servers. However, the real reason I want this is because we need to be able to make VPN client connections to customer sites and our proxy servers don't support that. My hope was that once the L2TP tunnel was up that I could then run the Cisco VPN client through it. So far I can successfully authenticate to remote VPN servers, but no encrypted traffic goes through the L2TP tunnel. In fact, once the VPN client connection authentication completes and the tunnel appears to be up, no packets leave that PC at all (I verified this with ethereal running on a separate PC). The client log shows DPD packets being sent and no replies being received, and after a minute or so this results in the client disconnecting. There aren't many options to the L2TP and VPN client configs, but I'm willing to believe that I've missed something. I'm also willing to believe that this just won't work, since L2TP is carried in IP packets and the VPN client may insist on encrypting them, resulting in a sort of catch-22. Should this work? It would be really handy for us if it would, but my hopes are dwindling.