Link to home
Start Free TrialLog in
Avatar of manuverhaegen
manuverhaegen

asked on

l2tp tunnel from pc to router

we can not connect from a windows 7 pc to comware router

Config on router
#gateway
interface GigabitEthernet0/1
 port link-mode route
 nat outbound
 ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]

#route
 ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]

#l2tp
local-user user01
 password simple test123
 service-type ppp
 quit
domain system
 authentication ppp local
 ip pool 1 192.168.112.10 192.168.112.100
 quit
l2tp enable
interface virtual-template 1
 ip address 192.168.112.1 255.255.255.0
 ppp authentication-mode chap domain system
 remote address pool 1
 quit
l2tp-group 1
 tunnel name LNS
 allow l2tp virtual-template 1
 quit
Avatar of arnold
arnold
Flag of United States of America image

Where are you testing these connection attempts from and what is the local Lan ip on the client, the lan ip on the client and the lan ip on the remote side can not overlap, they can not be or include 192.168.112.0/24.
Avatar of manuverhaegen
manuverhaegen

ASKER

The lan IP of the client is 192.168.100.0/24
Does the VPN tunnel gets established, but no traffic passes?
Does the VPN IP 192.168.112.x come up on the client?
Your user config does not seem to be pushing a route for 192.168.112.0/24 to the client.
So while the VPN client IP might come up, the setting might require you to manually add routes
route add 192.168.112.0 mask 255.255.255.0 192.168.112.x where the 192.168.112.x is the VPN assigned IP.
The VPN tunnel established not and no traffic passes
The VPN IP 192.168.112.x come not up on the client side

Configuration client side:
203.x.x.x
Type VPN : L2TP/IPSEC
Advanced settings : Key : xxxxxxxxx
Allow protocols :
PAP, CHAP, CHAP version 2

Config on router :
#gateway
interface GigabitEthernet0/1
 port link-mode route
 nat outbound
 ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]

#route
 ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]

#l2tp
local-user user01
 password simple xxxxx
 service-type ppp
 quit
domain system
 authentication ppp local
 ip pool 1 192.168.112.10 192.168.112.100
 quit
l2tp enable
interface virtual-template 1
 ip address 192.168.112.1 255.255.255.0
 ppp authentication-mode chap domain system
 remote address pool 1
 quit
l2tp-group 1
 tunnel authentication
 tunnel password simple xxxxxx
 allow l2tp virtual-template 1
 start l2tp ip 203.x.x.x domain system
 quit



undo debugging all
debugging l2tp all
debugging ppp all
terminal monitor
terminal debugging

nothing is comming in the debugging terminal
It is not clear what you posted, is this the client config or the server config?
The server assigns an ip, so it usually will not be on the client.

I think you are trying to configure l2tp as though it is a site to site VPN versus what it is which is a remote client to server type of connection.

Look at using openswan client on the PC to connect using IPSec only.
it is the client config and server (router) config
I want to create a dail-in l2tp connection to the router, then you can work external

Client config (Windows 7):
destination IP : 203.x.x.x
Type VPN : L2TP/IPSEC
Advanced settings : Key : xxxxxxxxx
Allow protocols :
PAP, CHAP, CHAP version 2

Config on router :
#gateway
interface GigabitEthernet0/1
 port link-mode route
 nat outbound
 ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]
#route
 ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]
#l2tp
local-user user01
 password simple xxxxx
 service-type ppp
 quit
domain system
 authentication ppp local
 ip pool 1 192.168.112.10 192.168.112.100
 quit
l2tp enable
interface virtual-template 1
 ip address 192.168.112.1 255.255.255.0
 ppp authentication-mode chap domain system
 remote address pool 1
 quit
l2tp-group 1
 tunnel authentication
 tunnel password simple xxxxxx
 allow l2tp virtual-template 1
 start l2tp ip 203.x.x.x domain system
 quit
# debugging
undo debugging all
debugging l2tp all
debugging ppp all
terminal monitor
terminal debugging
Usually, the route on the client will go through the ip assigned to the VPN connection not the remote public gateway 213.xx.xx.1 which is not a viable path for the client.

Presumably your configuration is l2tp over IPSec
Do you have the IPSec configuration setup on your Windows system to facilitate the IPSec tunnel to 213.xx.xx.2 through which the l2tp tunnel can be setup?

Debugging the l2tp client connection attempt should shed light on where the setup breaks down.
Hi,

The public ip address on the client is for example : 200.x.x.67
The gateway of the ISP is 200.x.x.1

The public IP address on the router is for example 203.x.x.50
The gateway of the ISP is 203.x.x.1

I can ping from 200.x.x.67 to 203.x.x.50, if i activte nat to a internal server this work fine but not secure.

I want to setup only l2tp
Do you have the IPSec configuration setup on your Windows system to facilitate the IPSec tunnel to 213.xx.xx.2 through which the l2tp tunnel can be setup? no

Can you setup this for us?
Is the l2tp server running on a server or on the router?

Why are you choosing l2tp?
the l2tp server is running on a router HP
OS : comware 7

l2tp for dail-in for remote support
Is l2tp the only option?
L2tp is an unencrypted which is why an IPSec tunnel is used to encrypt .....
Your issue could be blocking by your own firewall or providers at either end.

What if anything is noted on the hp router's logs?
Is there a functioning l2tp connection already working on the ?hP router?
Hi,

There is no l2tp connection working on the HP router, this is a new setup. Before i use the cisco routers.
But i have setup now a IKE/IPsec tunnel but the IKE comme up but the ipsec not.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial