Cisco IOS - PPPoE, L2TP not staging

First post, but I've searched the forums and the wider internet in search of an answer.

I live in Australia, running an NBN connection via a Cisco 1841 router.  It's running a Dialer interface using NAT.

I've found one guide that goes through setting up a l2tp tunnel however the guides config is slightly different than mine for the underlying internet connection and that's where I'm having issues.

My main issue is that I can get ISAKMP to accept an SA but IPSEC  wont.  The debug errors don't seem to help at all and no terminal messages are of any use.

I'm using the traffic from 192.168.0.102 as interesting traffic for the tunnel but it never seems to stage.  I'm open to any suggestions.

Config listed below...

Current configuration : 3567 bytes
!
! Last configuration change at 14:39:54 syd Sat Mar 5 2016 by ***********
! NVRAM config last updated at 15:41:57 syd Fri Mar 4 2016 by ***********
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ***********
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 ***********************************
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone syd 11
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.0.100 192.168.0.110
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool ***********
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 8.8.8.8
!
!
ip cef
ip domain name ***********
ip name-server ***********
!
no ipv6 cef
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group NBN
 request-dialin
  protocol pppoe
!
!
!
!
!
username ********USERNAME****** privilege 15 secret 5 *********PW***********
archive
 log config
  hidekeys
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key mysafety address 168.1.75.47
!
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!
crypto map PIA_VPN 10 ipsec-isakmp
 set peer 168.1.75.47
 set transform-set ESP-AES256-SHA1
 match address PIA_DISTA
!
!
!
ip ssh version 2
pseudowire-class PIA_L2TP
 encapsulation l2tpv2
 ip local interface Dialer1
!
!
!
!
interface FastEthernet0/0
 description WAN Interface
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface FastEthernet0/1
 description LAN Interface
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
!
interface Virtual-PPP1
 description Tunnel to PIA
 ip address negotiated
 ip virtual-reassembly
 no cdp enable
 ppp eap refuse
 ppp chap hostname x6322287
 ppp chap password 7 10183A16042F281B1D1702
 ppp ipcp address accept
 pseudowire 168.1.75.62 1 pw-class PIA_L2TP
 crypto map PIA_VPN
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp chap hostname ********nbn username**************
 ppp chap password 7 **********nbn password***************
 ppp pap sent-username ********nbn username************** password 7 **********nbn password***************
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
ip nat source static tcp 192.168.0.102 60276 interface Virtual-PPP1 60276
ip nat source static tcp 192.168.0.102 9091 interface Virtual-PPP1 9091
ip nat source static tcp 192.168.0.102 64108 interface Virtual-PPP1 64108
ip nat inside source list NATTRAFFIC interface Dialer1 overload
!
ip access-list standard NATTRAFFIC
 permit 192.168.0.0 0.0.0.255
!
ip access-list extended PIA_DISTA
 permit ip any any
ip access-list extended TRANSMISSION
 permit ip host 192.168.0.102 any
!
access-list 1 permit 0.0.0.0 255.255.255.0
!
!
!
!
route-map TRANSMISSION_PIA permit 10
 match ip address TRANSMISSION
 set interface Virtual-PPP1
!
!
!
!
control-plane
!
!
!
!
scheduler allocate 20000 1000
ntp server au.pool.ntp.org
end


Comments

  • edited April 2016 Posts: 3
    Are you still having problems with this?
    I haven't gone through the lot, but your main issue is:
    ip access-list extended PIA_DISTA
     permit ip any any

    What you want is it to match the l2tp traffic only. Otherwise it encrypts everything over the ipsec transport.
    If you have a static IP address, replace any with your dialer1 static ip in the following:

    ip access-list extended PIA_DISTA
      permit ip any host 168.1.75.62 eq 1701

    You also don't have the route-map applied to anything, so I don't believe it would have any effect.
    I believe you need:
    int fa0/1
      ip policy route-map TRANSMISSION_PIA

    You will also want to set a natting rule for the virtual-ppp1:
    ip nat inside source route-map TRANSMISSION_PIA int virtual-ppp1 overload


    Cheers.


    Post edited by Slaziar on
  • Posts: 3
    Also note I have near identical config on a 1921, and it won't pass the isakmp phase 1 key exchange with the error (using debug crypto isakmp):

    Apr 24 05:25:35.168: ISAKMP: Error while processing SA request: Failed to initialize SA
    Apr 24 05:25:35.168: ISAKMP: Error while processing KMI message 0, error 2.

    I've reached out to PIA to ask what their isakmp settings are, but I've tried what MS recommend for ipsec/l2tp. Perhaps it has something with using ikev2 for nat? I might try that later. If yoe've solved it, I'd love if you could post the relevant config :)
  • Posts: 3
    Embarrassingly I got it to work, my pre shared key was wrong. However the only other change I made to the above was:
    ip access-list extended PIA_DISTA
      permit ip <my static ip> eq 1701 host 168.1.75.62 eq 1701

    however it may still work with my original if you don't have a static ip, or even using eq 1701 after any.
  • I am having the same issue. Did you ever get this working? I am using a Cisco 3825, Version 15.1(4)M12a and no luck.
Sign In or Register to comment.