Embarking on a home project can often lead to unexpected challenges, especially when troubleshooting resources are limited. In this post, I aim to document my journey, hoping it can assist others facing similar hurdles.
Starting Point: Essential Configuration
For those seeking a straightforward guide, here’s the full configuration needed. Simply replace it with your specific IP address to get started.
Understanding Key Configuration Elements
Internet Connection: My internet runs off interface G0/0/0, using DHCP. This interface is designated for VPN client connections.
Internal Networking: A switch connects to G0/1/7, and VLAN 12 serves as the internal LAN subnet, hosting server resources.
IP Range: The internal subnets fall within the 192.168.0.0/16 range.
Configuration Details
aaa authentication login default local
aaa authentication ppp l2tp local
aaa authorization exec default local
aaa authorization network default if-authenticated
!
vpdn enable
!
vpdn-group L2TP
!Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
license boot level appxk9
!
user-name cisco
privilege 15
secret 5 $1$rOWd$fWd5L3B3jF2cysArkZ5Wt1
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0
crypto isakmp nat keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dynmap 10
set nat demux
set transform-set myset
!
crypto map mymap 10 ipsec-iskmp dynamic dynmap
!
interface Loopback 0
ip address 192.168.255.255 255.255.255.255
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/1/7
switchport mode trunk
!
interface Virtual-Template1
ip unnumbered Loopback0
ip mtu 1300
ip nat inside
peer default ip address pool vpn-pool
ppp authentication pap chap
ip virtual-reassembly
!
interface Vlan12
ip address 192.168.12.254 255.255.255.0
ip nat inside
!
ip local pool vpn-pool 192.168.12.220 192.168.12.239
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
!
ip access-list extended NAT
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.12.0.0 0.0.0.255 any
!
Overcoming Specific Challenges
NAT Subnets: It’s crucial to deny NAT between the VPN pool and local resource ranges to avoid NAT'ing.
PPP Encryption: While Cisco documentation sometimes suggests using ppp encryption mppe auto under Virtual-Template1, this can cause warnings with Windows 10/11 systems. Removing it resolved these issues in my setup.
User Configuration: With IOS-XE 16.9.2, user configuration needs a specific hierarchy. The older username cisco password cisco format is no longer recognized for VPN access.
LAN Connectivity: Despite successful VPN connection and authentication, accessing LAN segments via L2TP sometimes can be found unsuccessful. The command license boot level appxk9 can be helpful here. I'm currently operating with an RTU license and will update on its effectiveness post the 8-week evaluation period.
Conclusion
I hope sharing these insights helps others navigate similar network configuration endeavors more smoothly. Stay tuned for further updates as I continue to explore and refine this setup.
2 Dec 2023
Comments