Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
584
Views
0
Helpful
1
Replies

L2TP/IPSec and VRRP on Cisco VPN3000

Go to solution
r.patriarca
Level 1
Level 1

‎09-15-2003 02:51 AM - edited ‎03-09-2019 04:47 AM

Hi there. I don't know whether this is the right forum, please excuse me if it is not (of course a pointer to the right one would be appreciated :)

I am experimenting with the VRRP implementation of VPN 3000 concentrator series, and it seems that when the "backup" unit takes over, no L2TP/IPsec tunnel can be established anymore.

When the switch takes place, the backup unit takes over VRRP group IP addresses, which on VPN 3000 are master's own IP address as well. Thus, the backup unit handles two different IP addresses, its own ad group's.

Well, what I have observed using a sniffer is that while IKE/IPSec packets are correctly sourced by the group address, L2TP packets are sourced by the backup unit's physical IP address, and travel clear-text instead of being encapsulated within IPSec packets. The client machine (a Windows 2000 PC) obviously discards the L2TP packets, and no L2TP/Ipsec tunnel can be established. PPTP tunnels work, though.

The above does not happen when the master VPN 3000 is working, as the VRRP group addresses are the same as its own interface addresses.

Now, neither VPN 3000 documentation nor TAC documents explicity say that L2TP/IPSec and VRRP are incompatible, but they don't mention compatibility as well (while they do mention compatibility of VRRP with PPTP).

Is anyone more informed than me about the matter? Is there any technical reason for the incompatibility between L2TP with VRRP, or it is a bug of some sort?

Thanks,

Roberto Patriarca

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎09-15-2003 05:32 PM

This was found fairly recently and a high severity bug has been opened on it and is currently being investigated.

See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for details.

Nice work with the investigation though.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎09-15-2003 05:32 PM

This was found fairly recently and a high severity bug has been opened on it and is currently being investigated.

See http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCeb77328&Submit=Search for details.

Nice work with the investigation though.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents