Comments on: Mac OS X L2TP VPN to Cisco IOS http://inodes.org/2008/12/16/mac-os-x-l2tp-vpn-to-cisco-ios/ Moo - Development, Trouble-shooting and Random thoughts... Thu, 01 Jul 2010 03:27:59 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Daniele http://inodes.org/2008/12/16/mac-os-x-l2tp-vpn-to-cisco-ios/comment-page-1/#comment-2516 Daniele Wed, 22 Apr 2009 17:26:13 +0000 http://inodes.org/blog/?p=108#comment-2516 @John: thank you for the reply. I tried to give to the Mac a public ip address, in order to avoid nat-related problems, but this didn't fix the issue. Anyway I have a doubt about my (and your) config...the command crypto keyring should be applied to a crypto isakmp profile, or am I wrong? From Cisco Command Reference: ############################################# Usage Guidelines A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile. Examples The following example shows that a keyring and its usage have been defined: crypto keyring vpnkeys pre-shared-key address 10.72.23.11 key vpnsecret crypto isakmp profile vpnprofile keyring vpnkeys ############################################# Regards - Daniele @John: thank you for the reply. I tried to give to the Mac a public ip address, in order to avoid nat-related problems, but this didn’t fix the issue. Anyway I have a doubt about my (and your) config…the command crypto keyring should be applied to a crypto isakmp profile, or am I wrong?

From Cisco Command Reference:
#############################################
Usage Guidelines

A keyring is a repository of preshared and Rivest, Shamir, and Adelman (RSA) public keys. The keyring is used in the ISAKMP profile configuration mode. The ISAKMP profile successfully completes authentication of peers if the peer keys are defined in the keyring that is attached to this profile.

Examples
The following example shows that a keyring and its usage have been defined:

crypto keyring vpnkeys
pre-shared-key address 10.72.23.11 key vpnsecret

crypto isakmp profile vpnprofile
keyring vpnkeys
#############################################

Regards – Daniele

]]> By: johnf http://inodes.org/2008/12/16/mac-os-x-l2tp-vpn-to-cisco-ios/comment-page-1/#comment-2515 johnf Wed, 22 Apr 2009 07:26:29 +0000 http://inodes.org/blog/?p=108#comment-2515 @Daniele: Is it possible that your NAT router is blocking outbound connections? Connection refused looks like something in the path is blocking the UDP packets. Try using tcpdump on the Mac OS X client to see if you can work out what's sending the ICMP packet. @Daniele: Is it possible that your NAT router is blocking outbound connections? Connection refused looks like something in the path is blocking the UDP packets. Try using tcpdump on the Mac OS X client to see if you can work out what’s sending the ICMP packet.

]]> By: Daniele http://inodes.org/2008/12/16/mac-os-x-l2tp-vpn-to-cisco-ios/comment-page-1/#comment-2508 Daniele Fri, 10 Apr 2009 12:08:07 +0000 http://inodes.org/blog/?p=108#comment-2508 Hi John, I'm trying to realize a l2tp vpn from the Mac OS X native client to a Cisco router, so this is the same scenario of your post. Obviously the connection isn't working and I cannot understand the reason. I activated several debug on the router in order to see what happens, but I don't see any useful info. From the Mac OS X side, I can only see that the connection is refused, nothing more. I don't know if it's relevant, but the Mac OS X box is behind a router that does NAT, so the network diagram is: MAC OS X ----> NAT ROUTER -----INTERNET CLOUD--------->CISCO ROUTER Pls can you help me? This is my relevant config: ################################################################### aaa new-model ! ! aaa authentication ppp default local ! crypto keyring L2TP pre-shared-key address 0.0.0.0 0.0.0.0 key PASSWORD ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! ! crypto ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac mode transport ! crypto dynamic-map L2TP 10 set nat demux set transform-set 3DES-SHA-TRANS match address L2TP ! ! ! crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP ! ! vpdn enable ! vpdn-group 1 ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface FastEthernet0/0 ip address PUBLIC-IP-ADDRESS 255.255.255.252 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map INTERNET ! interface Virtual-Template1 ip unnumbered Loopback0 peer default ip address pool remote_clients_pool ppp mtu adaptive ppp authentication chap ms-chap ! ip local pool remote_clients_pool 192.168.100.1 192.168.100.254 no ip classless ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX ! ip access-list extended L2TP permit udp any eq 1701 any ! #################################################################### Thank you in advance, Kind Regards - Daniele (from Italy) Hi John,

I’m trying to realize a l2tp vpn from the Mac OS X native client to a Cisco router, so this is the same scenario of your post.

Obviously the connection isn’t working and I cannot understand the reason. I activated several debug on the router in order to see what happens, but I don’t see any useful info. From the Mac OS X side, I can only see that the connection is refused, nothing more.

I don’t know if it’s relevant, but the Mac OS X box is behind a router that does NAT, so the network diagram is:

MAC OS X —-> NAT ROUTER —–INTERNET CLOUD———>CISCO ROUTER

Pls can you help me?

This is my relevant config:

###################################################################
aaa new-model
!
!
aaa authentication ppp default local
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key PASSWORD
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map L2TP 10
set nat demux
set transform-set 3DES-SHA-TRANS
match address L2TP
!
!
!
crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP
!
!
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address PUBLIC-IP-ADDRESS 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map INTERNET
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool remote_clients_pool
ppp mtu adaptive
ppp authentication chap ms-chap
!
ip local pool remote_clients_pool 192.168.100.1 192.168.100.254
no ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
!
ip access-list extended L2TP
permit udp any eq 1701 any
!
####################################################################

Thank you in advance,

Kind Regards – Daniele (from Italy)

]]> By: johnf http://inodes.org/2008/12/16/mac-os-x-l2tp-vpn-to-cisco-ios/comment-page-1/#comment-2445 johnf Fri, 26 Dec 2008 23:10:19 +0000 http://inodes.org/blog/?p=108#comment-2445 Hi Phil, The ACL needs to be applied to the crypto map. The basic config looks something like vpdn enable ! vpdn-group L2TP ! Default L2TP VPDN group description L2TP Clients accept-dialin protocol l2tp virtual-template 1 no l2tp tunnel authentication ! crypto keyring L2TP pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac. mode transport ! crypto dynamic-map L2TP 10 set nat demux set transform-set 3DES-SHA-TRANS match address L2TP ! crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP ! interface Virtual-Template1 ip unnumbered Loopback0 no peer default ip address ppp mtu adaptive ppp authentication ms-chap vpdn ppp authorization vpdn ppp accounting vpdn The above config is probably missing the IP pool setup since I do that via RADIUS Cheers, John Hi Phil,

The ACL needs to be applied to the crypto map. The basic config looks something like

vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
description L2TP Clients
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto keyring L2TP
pre-shared-key address 0.0.0.0 0.0.0.0 key SECRET
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
ipsec transform-set 3DES-SHA-TRANS esp-3des esp-sha-hmac.
mode transport
!
crypto dynamic-map L2TP 10
set nat demux
set transform-set 3DES-SHA-TRANS
match address L2TP
!
crypto map INTERNET 65000 ipsec-isakmp dynamic L2TP
!
interface Virtual-Template1
ip unnumbered Loopback0
no peer default ip address
ppp mtu adaptive
ppp authentication ms-chap vpdn
ppp authorization vpdn
ppp accounting vpdn

The above config is probably missing the IP pool setup since I do that via RADIUS

Cheers,
John

]]> By: Phil http://inodes.org/2008/12/16/mac-os-x-l2tp-vpn-to-cisco-ios/comment-page-1/#comment-2444 Phil Sat, 20 Dec 2008 07:33:30 +0000 http://inodes.org/blog/?p=108#comment-2444 Hi John, I have been having the same problems with connecting Mac OS via L2TP/IPSec. Where does that access list need to be applied? Would you be able to paste me your full configuration? Cheers, Phil. Hi John,

I have been having the same problems with connecting Mac OS via L2TP/IPSec. Where does that access list need to be applied? Would you be able to paste me your full configuration?

Cheers,
Phil.

]]>