Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
@
@
@ntkernel2022-01-26 16:09:42
Debian
@ntkernel, 2022-01-26 16:09:42

How to make L2TP tunnel from Debian to Cisco ISR?

Good day everyone! There is a vpska with Debian and Cisco ISR 2801 (behind NAT) all ports are forwarded, on the other piece of iron the connection is normal! On the cisco l2tp server (config below), on the vpsk strongswan and xl2tpd. It seems everything is set up, I'm trying to connect.
Of the mistakes only

IDir 'CISCO_внутренний_ип' does not match to 'мой_белый_адресс'
. It seems like it's not critical, but still. And below establishing connection 'VPN1' failed.
Full log:
[email protected]:/var/run/xl2tpd# ipsec up VPN1
initiating Main Mode IKE_SA VPN1[2] to мой_белый_ип
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from впска[500] to мой_белый_ип[500] (212 bytes)
received packet: from мой_белый_ип[500] to впска[500] (100 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from впска[500] to мой_белый_ип[500] (244 bytes)
received packet: from мой_белый_ип[500] to впска[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: 7b:ef:fc:65:da:03:85:af:41:01:d3:0c:68:0b:19:48
received XAuth vendor ID
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from впска[4500] to мой_белый_ип[4500] (100 bytes)
received packet: from мой_белый_ип[4500] to впска[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IDir 'CISCO_внутренний_ип' does not match to 'мой_белый_ип'
deleting IKE_SA VPN1[2] between впска[впска]..мой_белый_ип[%any]
sending DELETE for IKE_SA VPN1[2]
generating INFORMATIONAL_V1 request 4221341034 [ HASH D ]
sending packet: from впска[4500] to мой_белый_ип[4500] (84 bytes)
establishing connection 'VPN1' failed
[email protected]:/var/run/xl2tpd# ^C


vpn client config:
[email protected]:/var/run/xl2tpd# cat /etc/ipsec.conf
config setup
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn VPN1
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=мой_белый_ип


cisco config:
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key PSK_ключ address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp identity hostname
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 mode transport
!
crypto dynamic-map L2TP-MAP 10
 set nat demux
 set transform-set ESP-3DES-SHA 
!
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic L2TP-MAP

If you need anything else, then write)
Thank you in advance!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
R
Roman2016-02-18 13:00:26
435 unable to authenticate at present authentication socket connection error. How to fix? 1Reply
S
Sergey2016-02-18 20:45:42
Postfix + opendkim + spf= to spam. What's the matter? 2Reply
S
Sungmaster2018-07-07 17:08:24
The DHCP client (Debian) cannot find the server (but netinstall was able to go online). How should the network be reconfigured? 2Reply
A
Alexander Pliev2013-11-13 17:15:31
Debian Medium Disk Read/Disk Write Queue 2Reply
I
Ilya2020-07-08 17:04:11
Debian Release: 9.7, why is the CPU running at minimum frequency? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question