L2TP over IPsec on Cisco IOS

Written in the mid-afternoon in English • Tags: , , , , ,

I wanted to use the OS X VPN client to connect to my home network while on the road. I guess using an OS X server would be the easiest way to get a Mac-compatible VPN server up and running. Using a Cisco running IOS required quite a few lines of configuration.

The OS X VPN client provides terrible feedback. It will happily tell you that there was “no response from the VPN server” when in reality the server responds with a rejection of all the ISAKMP or IPsec transforms proposed by the client. Fortunately both the Cisco debugging messages and verbose output from tcpdump were quite helpful.

In about 3 hours I got it all working, including routing with other VRFs and DMVPN sites.

! Enable L2TP
! - Connect VPN clients to VRF private
! - Enable NAT using NVI (already otherwise configured)

! Must use "password" ("secret" won't work)
username roadwarrior password 0 <removed>

aaa authentication ppp l2tp-auth local-case

ip local pool l2tp-pool

vpdn enable

interface Virtual-Template1
 vrf forwarding private
 ip unnumbered Loopback0
 ip nat enable
 peer default ip address pool l2tp-pool
 ppp mtu adaptive
 ppp authentication ms-chap-v2 l2tp-auth

vpdn-group l2tp-group
 ! Default L2TP VPDN group
 description L2TP clients
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication

! ISAKMP policy:
! - OS X offers aes 256 and 128 (but not 192)
! - SHA1 is the default hash on Cisco IOS (does not show up in config)
! - OS X doesn't offer any of the PFS groups

crypto isakmp policy 50
 encr aes 256
 authentication pre-share
 group 2
 lifetime 14400

! Internet is connected to VRF cable
crypto keyring l2tp-ring vrf cable
  pre-shared-key address key <removed>

! IPsec policy
! - Match OS X proposal

crypto ipsec transform-set l2tp-transform esp-aes 256 esp-sha-hmac
 mode transport

! Require IPsec for all L2TP traffic
! - Vlan6 is in the cable VRF already

ip access-list extended l2tp-access
 permit udp any eq 1701 any

crypto dynamic-map l2tp-map 10
 set nat demux
 set transform-set l2tp-transform
 match address l2tp-access

crypto map l2tp 10 ipsec-isakmp dynamic l2tp-map

interface Vlan6
 crypto map l2tp

! Import the routes into BGP for leaking them to other VRFs
! - BGP is already otherwise configured for route leaking

ip prefix-list l2tp seq 10 permit le 32

route-map connected-to-bgp permit 10
 match ip address prefix-list l2tp

router bgp 65111
 address-family ipv4 vrf private
  redistribute connected route-map connected-to-bgp

! Redistribute into OSPF (for DMVPN connected sites)
! - XXX: Why isn't OSPF getting these from BGP redistribution?

route-map connected-to-ospf permit 10
 match ip address prefix-list l2tp

router ospf 100 vrf private
 redistribute connected subnets route-map connected-to-ospf