Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3608
Views
0
Helpful
6
Replies

ios l2tp ipsec vpn

Go to solution
dan.letkeman
Level 4
Level 4

‎05-29-2010 08:40 PM - edited ‎03-04-2019 08:38 AM

I'm struggling with getting a connection to our vpn service provider from our 2821 router.  I would like to terminate the vpn on the router so I can route certain traffic through the vpn.  Example info I got from our vpn provider is:

address: vpn.provider.com

username: user

password: pass

l2tp shared secret: asdfasdfasdfasfd

They support l2tp over ipsec, pptp and sstp.

From the research I have done so far, I have found that ios does not support outgoing pptp connections, and I cannot for the life of me find a working l2tp over ipsec configuration that makes sense.  I do have an hwic-4esw card in the router that I am trying to make the vpn connection from, so I'm wondering if that is where i'm having the trouble....I'm also running NAT on the interfaces on this router, which could also be part of my problem.

I'm a bit confused with the LAC, LNS, client-initiated, client peer, lan to lan, etc, configurations on the Cisco site.  I'm assuming that i should not be setting up my router as an LAC, but instead as a client?

Does anyone know if this even works?  Or is the vpn support on an IOS router only for router to router configurations?

Thanks,

Dan.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎05-30-2010 10:57 AM

There are many VPN options, usually the ISPs sell MPLS.

They can also provide the L2 WAN as Frame Relay or Point-to-Point links.

You can configure L3 IPsec VPNs or IPsec/GRE, and depending what you need create a DMVPN or GETVPN.

The difference with MPLS VPNs is that the ISP is involved in the routing and the IPsec VPNs you control all the routing, they just sell the L2 path.

IPsec has the advantage of having strong encryption after the encapsulation.

L2TP only encapsulates the traffic, that's why it uses IPsec for encryption.

PPTP only encapsulates the traffic and can provide MPPE encryption.

GRE only encapsulates the traffic and uses IPsec for encryption and the advantage is that GRE can be terminated on routers.

So, if you need VPN terminated on routers and you need to protect the traffic (and to have control over it) and to encapsulate other traffic than IP and unicast, i'll think you should look for IPsec/GRE or DMVPN in case you have many sites.

Federico.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-29-2010 11:43 PM

You can't configure any router or firewall to be the client for L2TP over IPSec or PPTP connection. You would need to use L2TP over IPsec client or PPTP client from your PC to connect to your provider VPN.

If you would like your router to terminate VPN, you would need to configure Easy VPN client or LAN-to-LAN IPSec tunnel towards your provider. However, from the information provided so far, it seems that your provider supports L2TP over IPSec and PPTP which can be established from your PC.

Here is the sample configuration for the server (which is your provider), however, you can take a look at the client side as well which is included in the sample config:

L2TP over IPSec: http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807213a7.shtml

(check out the "Windows L2TP/IPsec Client Configuration" section)

PPTP: http://www.cisco.com/en/US/partner/tech/tk801/tk703/technologies_configuration_example09186a008009485e.shtml

(check out the "Configuring the Windows 2000 Client for PPTP" section)

Hope that helps.

0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Jennifer Halim

‎05-30-2010 07:47 AM

Yes, that helps.  I thought i was just doing something wrong.

So you are saying it's only possible from a windows or linux desktop client.  My devices i'm using don't have a vpn client, so it looks like i'm out of luck.

Curious, is there a reason why this is not supported?

Thanks,

Dan.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎05-30-2010 09:03 AM

Dan,

You don't need a VPN client software, you can connect a machine with the built-in VPN client that comes in windows.

Any machine running windows can use its native VPN client to connect via L2TP/IPsec or PPTP to the router (if supported)..

Federico.

0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Federico Coto Fajardo

‎05-30-2010 09:12 AM

Yes, sorry, i was not clear in my response.  The devices i'm using are not windows or linux, so they do not have vpn client capabilities.  This is why i was wanting the router to terminate the vpn, because I cannot terminate it with the client devices i'm using.

Does anyone know if there are any companies that sell vpn services that are not strictly l2tp over ipsec or pptp?  Perhaps, GRE over ipsec instead?

Dan.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to dan.letkeman

‎05-30-2010 10:57 AM

There are many VPN options, usually the ISPs sell MPLS.

They can also provide the L2 WAN as Frame Relay or Point-to-Point links.

You can configure L3 IPsec VPNs or IPsec/GRE, and depending what you need create a DMVPN or GETVPN.

The difference with MPLS VPNs is that the ISP is involved in the routing and the IPsec VPNs you control all the routing, they just sell the L2 path.

IPsec has the advantage of having strong encryption after the encapsulation.

L2TP only encapsulates the traffic, that's why it uses IPsec for encryption.

PPTP only encapsulates the traffic and can provide MPPE encryption.

GRE only encapsulates the traffic and uses IPsec for encryption and the advantage is that GRE can be terminated on routers.

So, if you need VPN terminated on routers and you need to protect the traffic (and to have control over it) and to encapsulate other traffic than IP and unicast, i'll think you should look for IPsec/GRE or DMVPN in case you have many sites.

Federico.

0 Helpful

Go to solution
dan.letkeman
Level 4
Level 4
In response to Federico Coto Fajardo

‎05-30-2010 11:10 AM

Thanks Federico!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card