how to do both PPTP and L2TP/IPsec

As I want to migrate our teleworkers from PPTP to L2TP/IPsec I added config for L2TP/IPsec to our router. (IOS 12.4)

It was quite easy to get this going, by adding to the existing config:

vpdn-group 2 > ! Default L2TP VPDN group > accept-dialin > protocol l2tp > virtual-template 1 > no l2tp tunnel authentication > ! > crypto dynamic-map vpn-dynamic 10 > description Dynamic map for L2TP > set nat demux > set security-association lifetime seconds 28800 > set transform-set 3des-sha-transp 3des-md5-transp > match address vpn-dynamic > crypto map vpn-4 10 ipsec-isakmp dynamic vpn-dynamic > ip access-list extended vpn-dynamic > permit ip host xx.xx.xx.xx any

This worked okay, but because of the access-list the router would no longer accept the PPTP connections, because they match with the access list and messages %CRYPTO-4-RECVD_PKT_NOT_IPSEC are logged.

Ok. Back to the drawing board.

So I added a secondary IP address to the outside interface

ip address xx.xx.xx.yy 255.255.255.240 secondary

This address is within our allocated subnet and it routes OK. I changed the access-list above to reflect the new router address and then the original PPTP mode works OK again.

But the L2TP/IPsec on the new address does not work... When I trace the external traffic I see:

16:51:20.574373 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.583783 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode) 16:51:20.593903 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.715780 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.870256 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.882573 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode) 16:51:20.986369 188.90.232.174 -> xx.xx.xx.yy ISAKMP Identity Protection (Main Mode) 16:51:20.991128 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Identity Protection (Main Mode) 16:51:21.146567 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode 16:51:21.156630 xx.xx.xx.yy -> 188.90.232.174 ISAKMP Informational 16:51:21.763894 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode 16:51:23.763766 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode 16:51:27.764078 188.90.232.174 -> xx.xx.xx.yy ISAKMP Quick Mode

The Main Mode exchange is OK, but the router does not reply to the Quick Mode packets.

The following message is then logged: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at

188.90.232.174

What could it be? Should it be possible to setup L2TP/IPsec on a secondary address of the external interface? I don't see any mention of the router address anywhere in the config for this feature except in the access list used for the cypto map, and that one I have updated... I'm puzzled.

Reply to
Rob
Loading thread data ...

In the meantime I got it working by using "l2tp security crypto-profile" instead of a static crypto map with match address.

Reply to
Rob

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.