Question
-
Topic
-
L2TP over IPSec on cisco
LockedHello there,
I’ve got a situation:
about 350 VPN clients are currently using the PPTP Windows 2003 server located at company’s HQ. NAT-T port 1723 and GRE IP type packets fowarding is used to this server on internal network from outside Cisco 2801 Integrated service router interface. There are also other two ports NATed to inside: 25000 and 3333 are used for specific applications. Also there is a NAT used for sharing the internet at company’s HQ LAN. Well this setup is working fine, but there is increasing number of attacks attempts onto our network setup. No one was sucessfull – yet. So I preventively decided to upgrade this solution to a lot more secure configuration = a L2TP over IPSec solution. The best thing which is the same with PTTP solution is I do not need any special VPN client, like SSL VPNs, because we can use the one integrated with windows. I found a solution how to make a L2TP tunnel from Windows VPN client to Cisco IOS router. Well I spend months of experiments and searching the internet until I finally developed a configuration which enable L2TP over IPSec and allows me to succesfully login, negotiate TCP/IP CP via RADIUS, estabilish a PPP link and obtain address to network, but –
what is the pain? When I log on from client I obtain the standard IP dedicated for VPN from DHCP pool 192.168.x.x but netmask is 255.255.255.255. From this is became the problem. I cannot ping or access any network service, including the router. Only client assigned IP adress can be succesfully pinged. No one behind.
I tried several routing configuration, including RIP + OSPF, changing VLANs, using other Virtual-Teplate configurations and all kinds of DHCP / RADIUS policy TCP/IP CP negotiations (including changing DHCP and RADIUS policy setup and rules about subnet mask). All of them always negotiate the subnet mask 255.255.255.255 no matter the configuration is.
I investigated more than two months for a solution of this situation, but everywhere is just basic configuration of L2TP over IPSec and some specific issues, never about this “mask” or routing problem, but I nowhere saw the solution onto this one.
Do I have to change IP address space to another class – address type, or setup some other routing type? Maybe I did something wrong during trying the possible solutions? That is the one million question.
The plan is to use Cisco 2801 (the K9 model supporting 3DES) as NAT, NAT-T, firewall, QoS and the VPN gateway all-in-one. Internet is have to be shared only on LAN inside HQ. VPN clients have to be configured without gateway or primarily use their local gateway to access the internet, not the HQ cisco gateway. This is the intended use for this one pretty expensive box, and that is why we bought it – Cisco sales told me a long time ago it is possible to do this, but service agreement is expired, so I am on my own with this. And stucked also now.
Please help! Any help is much appreciated, I really dont know any more how to continue, I think I tried everything. Everyone around me in IT department an my friends are a Cisco newbies, or never tried to use VPND on Cisco. So if you can help me it could save my ass… 🙂
Below is my IOS configuration (security sensitive things are removed):
Building configuration…
Current configuration : 6341 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname router.domain.com
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
!
aaa new-model
!
!
aaa authentication login default local enable
aaa authentication ppp default group radius local
aaa authentication eou default group radius
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip domain name domain.com
ip ssh authentication-retries 2
ip ssh version 2
!
vpdn enable
!
vpdn-group VPN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
voice-card 0
!
password encryption aes
!
!
!
crypto pki trustpoint CADomain.com
enrollment terminal
serial-number none
fqdn router.domain.com
ip-address 192.168.0.31
password 7
revocation-check crl
rsakeypair SDM-RSAKey-
!
crypto pki trustpoint domain.com
enrollment terminal
serial-number none
fqdn router.bydlite.cz
ip-address 192.168.0.31
password 7
revocation-check crl
rsakeypair SDM-RSAKey-
!
crypto pki trustpoint domaincom
enrollment url http://192.168.0.1:80/CertEnroll
serial-number
fqdn router.domain.com
ip-address FastEthernet0/1
password 7
subject-name O=COMPANY, OU=Division 1 – communication, CN=IT department, ST=Czech republic, E=dusk@progcentral.com
revocation-check crl
rsakeypair SDM-RSAKey-
auto-enroll
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain CADomain.com
crypto pki certificate chain domain.com
crypto pki certificate chain domaincom
crypto pki certificate chain TP-self-signed-
certificate self-signed 01
30820254 … a very long trip into certificate… 6849631E
quit
username MrAdmin privilege 15 secret 5
username Other privilege 15 secret 5
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ccsp esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map cc 10
set nat demux
set transform-set ccsp
!
!
crypto map cisco 10 ipsec-isakmp dynamic cc
!
!
interface FastEthernet0/0
description Internal Network$ETH-LAN$
ip dhcp relay information trusted
ip address 192.168.0.31 255.255.0.0
ip helper-address 192.168.0.7
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
hold-queue 100 out
!
interface FastEthernet0/1
description Internet Network$ETH-WAN$
ip address255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map cisco
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
peer default ip address dhcp
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
!
ip classless
ip route 0.0.0.0 0.0.0.0permanent
!
!
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.3 3389 interface FastEthernet0/1 3333
ip nat inside source static tcp 192.168.0.3 8333 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.0.41 25000 interface FastEthernet0/1 25000
ip nat inside source static udp 192.168.0.41 25000 interface FastEthernet0/1 25000
ip nat inside source static tcp 192.168.0.7 1723 interface FastEthernet0/1 1723
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.255.255
no cdp run
!
!
!
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646 timeout 60 key 7
!
control-plane
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 106 in
password 7 106406110419175355577379
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 107 in
transport input telnet ssh
transport output telnet ssh
!
endI know this config is still unsecure (without correct firewall and ACLs, but I tried to use them without any effect again) but this it not the point at this time. Thanks for your help and time.
Libor
