Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2TP/IPSec and VRRP on Cisco VPN3000

Hi there. I don't know whether this is the right forum, please excuse me if it is not (of course a pointer to the right one would be appreciated :)

I am experimenting with the VRRP implementation of VPN 3000 concentrator series, and it seems that when the "backup" unit takes over, no L2TP/IPsec tunnel can be established anymore.

When the switch takes place, the backup unit takes over VRRP group IP addresses, which on VPN 3000 are master's own IP address as well. Thus, the backup unit handles two different IP addresses, its own ad group's.

Well, what I have observed using a sniffer is that while IKE/IPSec packets are correctly sourced by the group address, L2TP packets are sourced by the backup unit's physical IP address, and travel clear-text instead of being encapsulated within IPSec packets. The client machine (a Windows 2000 PC) obviously discards the L2TP packets, and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, though.

The above does not happen when the master VPN 3000 is working, as the VRRP group addresses are the same as its own interface addresses.

Now, neither VPN 3000 documentation nor TAC documents explicity say that L2TP/IPSec and VRRP are incompatible, but they don't mention compatibility as well (while they do mention compatibility of VRRP with PPTP).

Is anyone more informed than me about the matter? Is there any technical reason for the incompatibility between L2TP with VRRP, or it is a bug of some sort?

Thanks,

Roberto Patriarca

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: L2TP/IPSec and VRRP on Cisco VPN3000

This was found fairly recently and a high severity bug has been opened on it and is currently being investigated.

See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for details.

Nice work with the investigation though.

1 REPLY
Cisco Employee

Re: L2TP/IPSec and VRRP on Cisco VPN3000

This was found fairly recently and a high severity bug has been opened on it and is currently being investigated.

See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for details.

Nice work with the investigation though.

215
Views
0
Helpful
1
Replies