manuverhaegen
asked on
l2tp tunnel from pc to router
we can not connect from a windows 7 pc to comware router
Config on router
#gateway
interface GigabitEthernet0/1
port link-mode route
nat outbound
ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]
#route
ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]
#l2tp
local-user user01
password simple test123
service-type ppp
quit
domain system
authentication ppp local
ip pool 1 192.168.112.10 192.168.112.100
quit
l2tp enable
interface virtual-template 1
ip address 192.168.112.1 255.255.255.0
ppp authentication-mode chap domain system
remote address pool 1
quit
l2tp-group 1
tunnel name LNS
allow l2tp virtual-template 1
quit
Config on router
#gateway
interface GigabitEthernet0/1
port link-mode route
nat outbound
ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]
#route
ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]
#l2tp
local-user user01
password simple test123
service-type ppp
quit
domain system
authentication ppp local
ip pool 1 192.168.112.10 192.168.112.100
quit
l2tp enable
interface virtual-template 1
ip address 192.168.112.1 255.255.255.0
ppp authentication-mode chap domain system
remote address pool 1
quit
l2tp-group 1
tunnel name LNS
allow l2tp virtual-template 1
quit
Where are you testing these connection attempts from and what is the local Lan ip on the client, the lan ip on the client and the lan ip on the remote side can not overlap, they can not be or include 192.168.112.0/24.
ASKER
The lan IP of the client is 192.168.100.0/24
Does the VPN tunnel gets established, but no traffic passes?
Does the VPN IP 192.168.112.x come up on the client?
Your user config does not seem to be pushing a route for 192.168.112.0/24 to the client.
So while the VPN client IP might come up, the setting might require you to manually add routes
route add 192.168.112.0 mask 255.255.255.0 192.168.112.x where the 192.168.112.x is the VPN assigned IP.
Does the VPN IP 192.168.112.x come up on the client?
Your user config does not seem to be pushing a route for 192.168.112.0/24 to the client.
So while the VPN client IP might come up, the setting might require you to manually add routes
route add 192.168.112.0 mask 255.255.255.0 192.168.112.x where the 192.168.112.x is the VPN assigned IP.
ASKER
The VPN tunnel established not and no traffic passes
The VPN IP 192.168.112.x come not up on the client side
Configuration client side:
203.x.x.x
Type VPN : L2TP/IPSEC
Advanced settings : Key : xxxxxxxxx
Allow protocols :
PAP, CHAP, CHAP version 2
Config on router :
#gateway
interface GigabitEthernet0/1
port link-mode route
nat outbound
ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]
#route
ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]
#l2tp
local-user user01
password simple xxxxx
service-type ppp
quit
domain system
authentication ppp local
ip pool 1 192.168.112.10 192.168.112.100
quit
l2tp enable
interface virtual-template 1
ip address 192.168.112.1 255.255.255.0
ppp authentication-mode chap domain system
remote address pool 1
quit
l2tp-group 1
tunnel authentication
tunnel password simple xxxxxx
allow l2tp virtual-template 1
start l2tp ip 203.x.x.x domain system
quit
undo debugging all
debugging l2tp all
debugging ppp all
terminal monitor
terminal debugging
nothing is comming in the debugging terminal
The VPN IP 192.168.112.x come not up on the client side
Configuration client side:
203.x.x.x
Type VPN : L2TP/IPSEC
Advanced settings : Key : xxxxxxxxx
Allow protocols :
PAP, CHAP, CHAP version 2
Config on router :
#gateway
interface GigabitEthernet0/1
port link-mode route
nat outbound
ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]
#route
ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]
#l2tp
local-user user01
password simple xxxxx
service-type ppp
quit
domain system
authentication ppp local
ip pool 1 192.168.112.10 192.168.112.100
quit
l2tp enable
interface virtual-template 1
ip address 192.168.112.1 255.255.255.0
ppp authentication-mode chap domain system
remote address pool 1
quit
l2tp-group 1
tunnel authentication
tunnel password simple xxxxxx
allow l2tp virtual-template 1
start l2tp ip 203.x.x.x domain system
quit
undo debugging all
debugging l2tp all
debugging ppp all
terminal monitor
terminal debugging
nothing is comming in the debugging terminal
It is not clear what you posted, is this the client config or the server config?
The server assigns an ip, so it usually will not be on the client.
I think you are trying to configure l2tp as though it is a site to site VPN versus what it is which is a remote client to server type of connection.
Look at using openswan client on the PC to connect using IPSec only.
The server assigns an ip, so it usually will not be on the client.
I think you are trying to configure l2tp as though it is a site to site VPN versus what it is which is a remote client to server type of connection.
Look at using openswan client on the PC to connect using IPSec only.
ASKER
it is the client config and server (router) config
I want to create a dail-in l2tp connection to the router, then you can work external
Client config (Windows 7):
destination IP : 203.x.x.x
Type VPN : L2TP/IPSEC
Advanced settings : Key : xxxxxxxxx
Allow protocols :
PAP, CHAP, CHAP version 2
Config on router :
#gateway
interface GigabitEthernet0/1
port link-mode route
nat outbound
ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]
#route
ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]
#l2tp
local-user user01
password simple xxxxx
service-type ppp
quit
domain system
authentication ppp local
ip pool 1 192.168.112.10 192.168.112.100
quit
l2tp enable
interface virtual-template 1
ip address 192.168.112.1 255.255.255.0
ppp authentication-mode chap domain system
remote address pool 1
quit
l2tp-group 1
tunnel authentication
tunnel password simple xxxxxx
allow l2tp virtual-template 1
start l2tp ip 203.x.x.x domain system
quit
# debugging
undo debugging all
debugging l2tp all
debugging ppp all
terminal monitor
terminal debugging
I want to create a dail-in l2tp connection to the router, then you can work external
Client config (Windows 7):
destination IP : 203.x.x.x
Type VPN : L2TP/IPSEC
Advanced settings : Key : xxxxxxxxx
Allow protocols :
PAP, CHAP, CHAP version 2
Config on router :
#gateway
interface GigabitEthernet0/1
port link-mode route
nat outbound
ip address 203.xx.xx.2 255.255.255.0 [public ip redacted]
#route
ip route-static 0.0.0.0 0.0.0.0 203.xx.xx.1 [public ip redacted]
#l2tp
local-user user01
password simple xxxxx
service-type ppp
quit
domain system
authentication ppp local
ip pool 1 192.168.112.10 192.168.112.100
quit
l2tp enable
interface virtual-template 1
ip address 192.168.112.1 255.255.255.0
ppp authentication-mode chap domain system
remote address pool 1
quit
l2tp-group 1
tunnel authentication
tunnel password simple xxxxxx
allow l2tp virtual-template 1
start l2tp ip 203.x.x.x domain system
quit
# debugging
undo debugging all
debugging l2tp all
debugging ppp all
terminal monitor
terminal debugging
Usually, the route on the client will go through the ip assigned to the VPN connection not the remote public gateway 213.xx.xx.1 which is not a viable path for the client.
Presumably your configuration is l2tp over IPSec
Do you have the IPSec configuration setup on your Windows system to facilitate the IPSec tunnel to 213.xx.xx.2 through which the l2tp tunnel can be setup?
Debugging the l2tp client connection attempt should shed light on where the setup breaks down.
Presumably your configuration is l2tp over IPSec
Do you have the IPSec configuration setup on your Windows system to facilitate the IPSec tunnel to 213.xx.xx.2 through which the l2tp tunnel can be setup?
Debugging the l2tp client connection attempt should shed light on where the setup breaks down.
ASKER
Hi,
The public ip address on the client is for example : 200.x.x.67
The gateway of the ISP is 200.x.x.1
The public IP address on the router is for example 203.x.x.50
The gateway of the ISP is 203.x.x.1
I can ping from 200.x.x.67 to 203.x.x.50, if i activte nat to a internal server this work fine but not secure.
I want to setup only l2tp
Do you have the IPSec configuration setup on your Windows system to facilitate the IPSec tunnel to 213.xx.xx.2 through which the l2tp tunnel can be setup? no
Can you setup this for us?
The public ip address on the client is for example : 200.x.x.67
The gateway of the ISP is 200.x.x.1
The public IP address on the router is for example 203.x.x.50
The gateway of the ISP is 203.x.x.1
I can ping from 200.x.x.67 to 203.x.x.50, if i activte nat to a internal server this work fine but not secure.
I want to setup only l2tp
Do you have the IPSec configuration setup on your Windows system to facilitate the IPSec tunnel to 213.xx.xx.2 through which the l2tp tunnel can be setup? no
Can you setup this for us?
Is the l2tp server running on a server or on the router?
Why are you choosing l2tp?
Why are you choosing l2tp?
ASKER
the l2tp server is running on a router HP
OS : comware 7
l2tp for dail-in for remote support
OS : comware 7
l2tp for dail-in for remote support
Is l2tp the only option?
L2tp is an unencrypted which is why an IPSec tunnel is used to encrypt .....
Your issue could be blocking by your own firewall or providers at either end.
What if anything is noted on the hp router's logs?
Is there a functioning l2tp connection already working on the ?hP router?
L2tp is an unencrypted which is why an IPSec tunnel is used to encrypt .....
Your issue could be blocking by your own firewall or providers at either end.
What if anything is noted on the hp router's logs?
Is there a functioning l2tp connection already working on the ?hP router?
ASKER
Hi,
There is no l2tp connection working on the HP router, this is a new setup. Before i use the cisco routers.
But i have setup now a IKE/IPsec tunnel but the IKE comme up but the ipsec not.
There is no l2tp connection working on the HP router, this is a new setup. Before i use the cisco routers.
But i have setup now a IKE/IPsec tunnel but the IKE comme up but the ipsec not.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.