Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
@
@
@ntkernel2022-01-26 16:09:42
Debian
@ntkernel, 2022-01-26 16:09:42

How to make L2TP tunnel from Debian to Cisco ISR?

Good day everyone! There is a vpska with Debian and Cisco ISR 2801 (behind NAT) all ports are forwarded, on the other piece of iron the connection is normal! On the cisco l2tp server (config below), on the vpsk strongswan and xl2tpd. It seems everything is set up, I'm trying to connect.
Of the mistakes only

IDir 'CISCO_внутренний_ип' does not match to 'мой_белый_адресс'
. It seems like it's not critical, but still. And below establishing connection 'VPN1' failed.
Full log:
[email protected]:/var/run/xl2tpd# ipsec up VPN1
initiating Main Mode IKE_SA VPN1[2] to мой_белый_ип
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from впска[500] to мой_белый_ип[500] (212 bytes)
received packet: from мой_белый_ип[500] to впска[500] (100 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from впска[500] to мой_белый_ип[500] (244 bytes)
received packet: from мой_белый_ип[500] to впска[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: 7b:ef:fc:65:da:03:85:af:41:01:d3:0c:68:0b:19:48
received XAuth vendor ID
remote host is behind NAT
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from впска[4500] to мой_белый_ип[4500] (100 bytes)
received packet: from мой_белый_ип[4500] to впска[4500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IDir 'CISCO_внутренний_ип' does not match to 'мой_белый_ип'
deleting IKE_SA VPN1[2] between впска[впска]..мой_белый_ип[%any]
sending DELETE for IKE_SA VPN1[2]
generating INFORMATIONAL_V1 request 4221341034 [ HASH D ]
sending packet: from впска[4500] to мой_белый_ип[4500] (84 bytes)
establishing connection 'VPN1' failed
[email protected]:/var/run/xl2tpd# ^C


vpn client config:
[email protected]:/var/run/xl2tpd# cat /etc/ipsec.conf
config setup
conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn VPN1
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=мой_белый_ип


cisco config:
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key PSK_ключ address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp identity hostname
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 mode transport
!
crypto dynamic-map L2TP-MAP 10
 set nat demux
 set transform-set ESP-3DES-SHA 
!
!
crypto map CRYPTO_MAP 100 ipsec-isakmp dynamic L2TP-MAP

If you need anything else, then write)
Thank you in advance!

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
S
shaivam2015-04-30 22:33:56
Why does vlc lose sound after a broken section in a video? 1Reply
E
Evgeny Vorobyov2021-04-07 10:21:39
How to notify in telegram from mdadm? 1Reply
S
Sergey2015-05-08 20:58:36
How to connect a Debian gateway to a vpn server? 2Reply
E
Evdokim2019-09-30 15:30:29
Does it make sense to create virtual machines in Proxmox with UEFI support? 2Reply
K
kwayne2019-10-02 16:45:26
How to set up apache www folder sharing for editing by other developers? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question