dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2357

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

Napsterbater

MVM

[Config] 887 Layer 2 L2TPv3 tunnel Config for Softether.

Hey guys, Im working on getting a L2TPv3 tunnel up between my 887 at home and my dedicated server.

Im looking for Layer 2 connectivity over the network, I have this currently via a Softether Server on my network with a connection to the one on the dedicated server, but I want to move it to the 887 on my side.

The dedicated server has Softether running as a L2TPv3 host/server, all it needs to "authenticate" the L2TPv3 client is the Phase 1 ID of the L2TPv3 client. (currently it is set to allow any during testing)

Now I tried using these two sites to but the cisco site is for connecting to another cisco device and the softether's config is a little confusing.

»www.cisco.com/c/en/us/su ··· -00.html

»www.google.com/url?sa=t& ··· &cad=rja

My setup is like so:

FastEthernet0 is a VLAN Trunk for all (except 22) VLANs to the switch.

VLAN2 is my "LAN", NAT Inside
VLAN3 is my "WAN" DHCP from ISP NAT Outside (DSL interface is not used)

VLAN22 is gonna be the LAN bridge interface for my side, it will connect back to the switch via an access port that is untagged VLAN2.

interface FastEthernet3 will have "switchport access vlan 22"

So I tried this (from the cisco site) (Note encryption is not a priority , just trying to get them it to work at first.

(Note: 1.2.3.4, is replaced with the real IP in the config)
car1(config)#pseudowire-class atlvmhostbridge
car1(config-pw-class)#encapsulation l2tpv3
car1(config-pw-class)#protocol none
car1(config-pw-class)#ip local interface vlan3
car1(config-pw-class)#exit
car1(config)#interface vlan22
car1(config-if)#$xconnect 1.2.3.4 1 encapsulation l2tpv3 manual pw-class atlvmhostbridge
car1(config-if-xconn)#l2tp id 1 2
car1(config-if-xconn)#exit
car1(config-if)#exit
car1(config)#show l2tun tunnel all
 
%No active L2TP tunnels
 
car1#show l2tun
 
L2TP Tunnel and Session Information Total tunnels 0 sessions 1
 
LocID      RemID      TunID      Username, Intf/      State  Last Chg Uniq ID
                                 Vcid, Circuit
1          2          n/a        1, Vl22:22           est    00:00:27 9
 

I also tried this.

(Note: 1.2.3.4, is replaced with the real IP in the config)
pseudowire-class atlvmhostbridge
encapsulation l2tpv3
ip local interface vlan3
exit
 
crypto isakmp policy 1
encryption aes 256
authentication pre-share
group 2
exit
 
crypto isakmp key vpn address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 2 periodic
crypto ipsec fragmentation after-encryption
crypto ipsec transform-set IPSEC esp-aes 256 esp-sha-hmac
mode transport
exit
 
crypto map MAP 1 ipsec-isakmp
set peer 1.2.3.4
set transform-set IPSEC
match address IPSEC_MATCH_RULE
exit
 
ip access-list extended IPSEC_MATCH_RULE
permit 115 any any
exit
 
interface vlan3
crypto map MAP
exit
 
interface vlan22
no cdp enable
xconnect 1.2.3.4 1 pw-class atlvmhostbridge
bridge-group 1
exit
 

Does anyone see anything wrong with either config that keep them from working, at least on this end?

I have never tried to setup a VPN on a Cisco before and i am as lost as a fart in a whirlwind.

Config before running anything above.
car1#show running
Building configuration...
 
Current configuration : 10444 bytes
!
! Last configuration change at 04:55:18 UTC Fri Nov 14 2014 by napsterbater
! NVRAM config last updated at 00:00:23 UTC Fri Nov 14 2014 by napsterbater
! NVRAM config last updated at 00:00:23 UTC Fri Nov 14 2014 by napsterbater
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname car1
!
boot-start-marker
boot system flash c880data-universalk9-mz.151-4.M8.bin
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-54818165
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-54818165
 revocation-check none
 rsakeypair TP-self-signed-54818165
!
!
crypto pki certificate chain TP-self-signed-54818165
 certificate self-signed 01
****************************************************
        quit
no ip source-route
!
!
!
ip dhcp database flash:/dhcp-db
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.1.1 10.0.1.19
ip dhcp excluded-address 10.0.1.231 10.0.1.254
ip dhcp excluded-address 10.0.2.1 10.0.2.19
ip dhcp excluded-address 10.0.2.231 10.0.2.254
ip dhcp ping timeout 250
!
ip dhcp pool MainLAN
 network 10.0.1.0 255.255.255.0
 domain-name napshome.local
 default-router 10.0.1.3
 dns-server 10.0.1.2 10.0.1.5
 lease 31
!
ip dhcp pool GuestWLAN
 network 10.0.2.0 255.255.255.0
 domain-name guestWLAN.napshome.local
 dns-server 10.0.2.1
 default-router 10.0.2.1
 lease 31
!
ip dhcp pool Xbox360
 host 10.0.1.235 255.255.255.0
 client-identifier **************************
 lease 31
!
ip dhcp pool Bos
 host 10.0.1.130 255.255.255.0
 client-identifier **************************
 lease 31
!
ip dhcp pool HP6500
 host 10.0.1.230 255.255.255.0
 client-identifier **************************
 lease 31
!
!
ip cef
ip flow-cache timeout inactive 10
ip flow-cache timeout active 1
ip domain round-robin
ip domain retry 3
ip domain timeout 2
ip domain name napshome.local
ip name-server 10.0.1.2
ip name-server **************************
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp database flash:/dhcpv6-db
ipv6 dhcp ping packets 2
ipv6 dhcp pool GuestWLANIPv6
 address prefix **************************/64 lifetime 86400 3600
 dns-server **************************
 dns-server FEC0:0:0:FFFF::1
 dns-server FEC0:0:0:FFFF::2
 domain-name guestwifi.napshome.local
!
ipv6 dhcp pool MainLANIPv6
 address prefix **************************/64 lifetime 86400 3600
 dns-server **************************
 dns-server **************************
 domain-name napshome.local
!
!
!
multilink bundle-name authenticated
license udi pid CISCO887-SEC-K9 sn **************************
license boot module c880-data level advipservices
!
!
username ************************** privilege 15 password 0 **************************
!
!
!
!
no ip ftp passive
ip ssh version 2
!
!
!
!
!
!
!
!
!
interface Tunnel0
 description HE IPv6 Tunnel
 bandwidth 40000
 no ip address
 ipv6 address **************************/64
 ipv6 enable
 ipv6 traffic-filter ipv6tunnel-in in
 ipv6 traffic-filter ipv6tunnel-out out
 tunnel source Vlan3
 tunnel mode ipv6ip
 tunnel destination 216.66.22.2
 tunnel bandwidth transmit 40000
 tunnel bandwidth receive 40000
!
interface Tunnel1
 description My Server IPv6 Tun
 bandwidth 40000
 no ip address
 shutdown
 ipv6 address **************************/64
 ipv6 enable
 ipv6 traffic-filter ipv6tunnel-in in
 ipv6 traffic-filter ipv6tunnel-out out
 tunnel source Vlan3
 tunnel mode ipv6ip
 tunnel destination **************************
 tunnel bandwidth transmit 40000
 tunnel bandwidth receive 40000
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/35
  vbr-nrt 700 700
  tx-ring-limit 2
  service-policy out WANQOS
  pppoe-client dial-pool-number 1
  pppoe-client ppp-max-payload 1492
 !
!
interface FastEthernet0
 switchport trunk allowed vlan 1-21,23-4094
 switchport mode trunk
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport access vlan 22
 no ip address
!
interface Vlan1
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 ip address 10.0.1.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 address **************************/64
 ipv6 enable
 ipv6 nd reachable-time 60000
 ipv6 nd prefix **************************/64 86400 3600
 ipv6 nd managed-config-flag
 ipv6 nd advertisement-interval
 ipv6 dhcp server MainLANIPv6 rapid-commit
!
interface Vlan3
 ip address dhcp hostname hello.there.how.are.you
 ip nat outside
 no ip virtual-reassembly in
 ipv6 address dhcp rapid-commit
 ipv6 enable
 ipv6 nd ra suppress all
!
interface Vlan4
 ip address 10.0.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 enable
 ipv6 nd prefix **************************/64
 ipv6 nd managed-config-flag
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 4
 ipv6 dhcp server GuestWLANIPv6 rapid-commit
!
interface Vlan22
 no ip address
 bridge-group 1
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ipv6 address autoconfig
 ipv6 enable
 ppp authentication chap pap callin
 ppp chap hostname **************************
 ppp chap password 0 **************************
 ppp pap sent-username ************************** password 0 **************************
!
interface Dialer1
 no ip address
!
no ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip dns view default
 domain timeout 2
 domain retry 3
ip nat inside source list 1 interface Vlan3 overload
ip nat inside source static udp 10.0.1.235 88 interface Vlan3 88
ip nat inside source static tcp 10.0.1.235 3074 interface Vlan3 3074
ip nat inside source static udp 10.0.1.235 3074 interface Vlan3 3074
ip nat inside source static tcp 10.0.1.2 11009 interface Vlan3 11009
ip nat inside source static tcp 10.0.1.2 11008 interface Vlan3 11008
ip nat inside source static tcp 10.0.1.2 11000 interface Vlan3 11000
ip nat inside source static udp 10.0.1.2 11000 interface Vlan3 11000
ip nat inside source static tcp 10.0.1.2 11080 interface Vlan3 11080
!
no logging trap
access-list 1 remark INSIDE_IF=Vlan2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
dialer-list 1 protocol ip permit
ipv6 route FEC0:0:0:FFFF::1/128 Vlan2
ipv6 route FEC0:0:0:FFFF::2/128 Vlan2
ipv6 route FEC0:0:0:FFFF::3/128 Vlan2
ipv6 route ::/0 Tunnel0
!
!
!
!
snmp-server community ************************** RO
snmp-server community ************************** RW
snmp-server ifindex persist
snmp-server location **************************
snmp-server contact **************************
!
ipv6 access-list ipv6tunnel-in
 permit icmp any any
 evaluate reflectout
 permit ipv6 **************************/48 any
 permit ipv6 **************************/48 any
 permit ipv6 **************************/48 any
 permit ipv6 **************************/64 any
 permit ipv6 **************************/64 any
 permit ipv6 **************************/64 any
 permit tcp any range 10000 11999 any
 permit udp any range 11000 11999 any
 permit tcp any range 11000 11999 any
 deny ipv6 any any
!
ipv6 access-list ipv6tunnel-out
 sequence 100 permit icmp any any
 sequence 200 permit ipv6 any any reflect reflectout
 sequence 2147483647 deny ipv6 any any
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password **************************
 login local
 transport input all
!
scheduler max-task-time 5000
ntp update-calendar
ntp server 1.north-america.pool.ntp.org
ntp server 2.north-america.pool.ntp.org
ntp server 0.north-america.pool.ntp.org
ntp server 2.us.pool.ntp.org
ntp server 0.us.pool.ntp.org
ntp server 1.us.pool.ntp.org
ntp server 3.north-america.pool.ntp.org
event manager directory user policy "flash:/eem"
event manager applet NTP
 event timer countdown time 90
 action 01.0 cli command "enable"
 action 02.0 cli command "configure terminal"
 action 03.0 cli command "ntp server 0.us.pool.ntp.org burst iburst"
 action 04.0 cli command "ntp server 1.us.pool.ntp.org burst iburst"
 action 05.0 cli command "ntp server 2.us.pool.ntp.org burst iburst"
 action 06.0 cli command "ntp server 3.us.pool.ntp.org burst iburst"
 action 07.0 cli command "ntp server 0.north-america.pool.ntp.org burst iburst"
 action 08.0 cli command "ntp server 1.north-america.pool.ntp.org burst iburst"
 action 09.0 cli command "ntp server 2.north-america.pool.ntp.org burst iburst"
 action 10.0 cli command "ntp server 3.north-america.pool.ntp.org burst iburst"
 action 11.0 cli command "exit"
 action 12.0 cli command "exit"
!
end
 

Nubiatech
soy capitan
join:2007-09-02
Chicago, IL

1 edit

Nubiatech

Member

Thanks for posting this, I find it very interesting since I never knew the 887 has such capabilities.

I'd suggest as a first step to check the interface status. Is vlan22 up and running?
Also, since it is placed on bridge-group 1, did you try creating a BVI interface and use it as the cross-connect?
Can you post the output of:
show int status
show int irb
show vlan?


Is it feasible for you to schedule maintenance window to run a few debugs on this router?

Full disclosure: I don't have much experience with the ISR/G1 series, and not fully up to speed with the next generation either. I am hoping someone more experienced would be able to comment on the nuances of this architecture. For example, does it support BVI or SVI interfaces as local or cross-connect interfaces? Do you have to explicitly enable irb for this to work? Are there any limitations with regards to the integrated switch capabilities? Does it require vlan database mode (show vlan-switch)?

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

Napsterbater

MVM

Im starting to think this wont be possible.

I was running those show commands and I ran a "show interface" and dawned on me when I noticed the MAC on the VLAN interfaces, all the vlans on the 887 share the same MAC address, so making a different vlan to get traffic on its own interface/port won't work as the same mac will be in 2 places in the vlan2 network, and it wont let you set a MAC on a VLAN

Also the 887 only has layer 2 switch, so I can't really do anything with the ports without a vlan, which bring us back to issue 1.

This could possible work if the 887 was dedicated to just the VPN and I was using its DSL/ATM interface or I have a model with another routed (WAN) interface, but this one also has to be a NAT router for the network and I cant uses its routed interface.

I did get the VPN itself up and connected using the softether config, but the VPN server never saw traffic in the tunnel from the 887, but they did exchange traffic in regards to the tunnel (establishing, maintaining, etc.).
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Napsterbater

MVM

to Napsterbater
said by Napsterbater:

Im looking for Layer 2 connectivity over the network, I have this currently via a Softether Server on my network with a connection to the one on the dedicated server, but I want to move it to the 887 on my side.

said by Napsterbater:

FastEthernet0 is a VLAN Trunk for all (except 22) VLANs to the switch.

VLAN2 is my "LAN", NAT Inside
VLAN3 is my "WAN" DHCP from ISP NAT Outside (DSL interface is not used)

VLAN22 is gonna be the LAN bridge interface for my side, it will connect back to the switch via an access port that is untagged VLAN2.

interface FastEthernet3 will have "switchport access vlan 22"

Any possibility of you doing a physical wiring diagram, cuz I'm having a heckuva time picturing that in my head.
The sense I'm getting -- and correct me if I'm wrong -- the softether server's on VLAN22 which is on the NAT INSIDE
side of the 887, so you need a LAN-to-LAN crypto tunnel between the softether server and the 887? Or am I out
to lunch?

Never seen the L2 Bridging Across a L3 Network before... interesting! Will have to look at that later.

Don't see anything immediately wrong with your crypto map -- the only thing that doesn't make sense to me
is the line

permit 115 any any
 

My 00000010bits

Regards

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by HELLFIRE:

Never seen the L2 Bridging Across a L3 Network before...

l2tpv3 allows one to create a layer-2 pseudowire across an ip infrastructure -- similar to atom in mpls.
set it up in ypur lab, hf. you'll be amazed.

to the op -- let me see if i can mock something up in my lab and test the config.

q.

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA

Napsterbater to HELLFIRE

MVM

to HELLFIRE
Yeah the permit any any made no sense to me aswell but who am I to judge in this cericumstance heh.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Napsterbater

MVM

to Napsterbater
said by tubbynet:

l2tpv3 allows one to create a layer-2 pseudowire across an ip infrastructure -- similar to atom in mpls.
set it up in ypur lab, hf. you'll be amazed.

...okay,my brain just went "snap" at that... maybe another skype session's in order... I'll see what's on
my calendar.

@Napsterbater See Profile
Actually it was the "permit 115" part... I thought it was the sequence #, but that doesn't make sense...

Regards

Nubiatech
soy capitan
join:2007-09-02
Chicago, IL

Nubiatech to Napsterbater

Member

to Napsterbater
said by HELLFIRE:

Actually it was the "permit 115" part... I thought it was the sequence #, but that doesn't make sense...

115 is the L2TPv3 IP protocol number (RFC3931, see IANA Protocol Numbers). In this case, all L2TPv3 traffic is matched (interesting traffic/encryption domain) and encapsulated in the IPSec tunnel.

I am glad that tubbynet See Profile is chiming in. Can't wait to see what can be gleaned from the lab.

Also, the OP pointed out the fact that the MAC is the same for all the SVIs. I am not sure if this will have any bearing on this setup, since the objective is to bridge traffic with L2 information intact, rather than encapsulate or manipulate it in any other way.

Either way, I'd still suggest configuring a BVI interface or removing vlan22 from the bridge group. Another option to look at is configuring a loopback as the local interface. I believe this will provide separation from the local switch module if that turns out to be an issue. Though you will need a static route to the loopback IP on the softether server side, since you would need a private/non-routable IP for that.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to HELLFIRE

Premium Member

to HELLFIRE
Conference me in!

Napsterbater
Meh
MVM
join:2002-12-28
Milledgeville, GA
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO

Napsterbater to Nubiatech

MVM

to Nubiatech
said by Nubiatech:

Also, the OP pointed out the fact that the MAC is the same for all the SVIs. I am not sure if this will have any bearing on this setup, since the objective is to bridge traffic with L2 information intact, rather than encapsulate or manipulate it in any other way.

Good Point.
said by Nubiatech:

Either way, I'd still suggest configuring a BVI interface

On BVI's, my understanding is it bridges two layer 3 networks/interfaces into a single Layer 2 network, could I use BVI to bridge VLAN2 and a Loopback and keep the VLAN2 config as is on its interface then do the xconnect on the loopback? or does the BVI mean you have to move everything to its interface? because you cant have an xconnect and a IP address on the same interface.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Napsterbater

MVM

to Napsterbater
said by Nubiatech:

said by HELLFIRE:

Actually it was the "permit 115" part... I thought it was the sequence #, but that doesn't make sense...

115 is the L2TPv3 IP protocol number (RFC3931, see IANA Protocol Numbers). In this case, all L2TPv3 traffic is matched (interesting traffic/encryption domain) and encapsulated in the IPSec tunnel.

Ahh, thanks for clarifying that Nubiatech See Profile ...

Regards

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet to Nubiatech

MVM

to Nubiatech
said by Nubiatech:

I am glad that tubbynet See Profile is chiming in. Can't wait to see what can be gleaned from the lab.

never expect good things from me. i'm really just a guy who drinks and has a technology problem.
i think that anyone that has dealt with me on a personal level with agree with this.

i'm working through this inside of cisco modeling labs -- so its slower going -- but i'll see what i can make happen.

q.

Nubiatech
soy capitan
join:2007-09-02
Chicago, IL

Nubiatech

Member

said by tubbynet:

never expect good things from me. i'm really just a guy who drinks and has a technology problem.

Haha! Fair enough! I am on the same boat, kind of; this being the golden age of craft beers and brewpubs ... Though I have one thing up on you, procrastination ... one day I'll get around to completing the 2 ESXI nodes/CSR1000v/JunOS Firefly/OnePK home virtual lab, one day ...

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by Nubiatech:

Though I have one thing up on you, procrastination

i have other people build my labs for me. we have a very large datacenter in the greater stl area. couple this with a dmvpn tunnel back to my house for ease of access across my workstations -- and a lab automation solution that allows me to use layer-1 switches to instantiate topologies on the fly -- and i've got about $15 million (at partner discounts) of routing and switching kit to play with.

q.