Setup VPN for Cisco VPN client, L2TP and static VPN tunnels
I try add L2TP to an existing Cisco 1812 router configuration to allow standard Windows/Mac/iPhone L2TP clients to connect to the LAN. Currently the router is configured for incoming Cisco VPN Client connections and also has two static IPSec tunnels set up.
The starting point is basically this isakmp/ipsec configuration:
crypto isakmp policy 1
crypto isakmp policy 2
crypto isakmp policy 10
crypto isakmp key key1 address 126.96.36.199 no-xauth
crypto isakmp key key2 address 188.8.131.52 no-xauth
crypto isakmp client configuration address-pool local dynpool
This adds the L2TP transport to the existing dynmap. However, it does not work. From the debug output I gather that it refuses the incoming connections because of the missing XAUTH. It is unclear to me how to allow incoming connections with L2TP without XAUTH while still have other incoming connections with the Cisco VPN client using XAUTH. All L2TP examples I have found on cisco.com only set up L2TP alone not in combination with other incoming client connections or other static VPN tunnels.
Can someone point me into the right direction or even has a working example with static VPN tunnels and incoming L2TP?
The L2TP connection gets authenticated, however,then the debug output shows this, in particular this "map_db_find_best did not find matching map" error. Does anyone know what this error means exactly and how to fix the setup to get a working L2TP connection?
Aug 12 20:20:50: ISAKMP:(2061):Checking IPSec proposal 1
Aug 12 20:20:50: ISAKMP: transform 1, ESP_3DES
Aug 12 20:20:50: ISAKMP: attributes in transform:
Aug 12 20:20:50: ISAKMP: SA life type in seconds
Aug 12 20:20:50: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
Aug 12 20:20:50: ISAKMP: SA life type in kilobytes
Aug 12 20:20:50: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
Aug 12 20:20:50: ISAKMP: encaps is 61444 (Transport-UDP)
Aug 12 20:20:50: ISAKMP: authenticator is HMAC-MD5
Aug 12 20:20:50: ISAKMP:(2061):atts are acceptable.
Aug 12 20:20:50: IPSEC(validate_proposal_request): proposal part #1
Aug 12 20:20:50: IPSEC(validate_proposal_request): proposal part #1,
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...