L2TP VPN and Split Tunnelling

[Jimtron26]

Hi all,

I have a requirement to enable Split Tunnelling with an L2TP/IPSec connection. The remote client wishes to access the company network using an L2TP connection whilst at the same time having Internet traffic route out of his local DSL (8Mb)connection.

I use a Cisco 1841 router acting as the LNS and Vista client as the LAC.

A little history...

1. L2TP to the company network is required to utilise the "reconnect on drop" function - something Cisco client does not support (claiming this is a security feature!) whilst providing encryption.
2. Internet traffic needs to route locally as, if routed via the VPN tunnel, the download speed will be dictated by the upload speed of the company DSL connection (approx 500K)

I have searched the Internet, Cisco/ Microsoft documentation but it appears this setup is "not recommended" or "not possible" due to "security threats" which are not clearly explained. The impression I get is that the remote client will have to be browsing porn sites etc in order for the company network to be adversely affected by remote control, worms, trojans etc via the remote client.

The remote client is trusted (it`s my MD!!!) and therefore this won`t be an issue ;o). I did find one piece of documentation from Cisco which involves adding and deleting routes on the client machine however this would have to be done each time the computer is booted and is not practical as a solution. There must be some way to automate it?!?

I have also tried the "use default gateway at remote network" setting within the client properties however I encounter the following:
Checked - Can access company network, cannot access Internet
Unchecked - Can access Internet, cannot access company network!

Phew! Sorry for the ramble but wanted to get the requirement across in as much detail as possible. I can`t believe I am the only one to come across this problem....

Any help/ thoughts/ etc etc would be most appreciated.

Many thanks

Jim

 

[burtsbees]

Are you asking for a config to enable split tunneling in the 1841, or if this is what you need to do?

Burt

 

[Jimtron26]

Hi Burt,

Thank you for your reply. I don`t think, but could be wrong, it is the router that is the issue here.

We also use Cisco VPN client and configure split tunnelling by telling the client which networks to encrypt via an Access List. The rest of the traffic uses the local Internet connection. There does not appear to be any way to do this for an L2TP client connection.

I was thinking this is something to be done on the Windows machine, perhaps manipulating the routing table but make it automated.

Many thanks

 

[burtsbees]

Can you post the sh run of the router? Let's eliminate everything we can...

Burt

 

[Jimtron26]

Building configuration...

Current configuration : 17107 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret ******
!
aaa new-model
!
!
aaa authentication login NCL_AUTHEN local
aaa authentication ppp default local
aaa authorization network NCL_AUTHOR local
!
aaa session-id common
no ip cef
!
!
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL ftp
ip inspect name FIREWALL h323
ip inspect name FIREWALL rcmd
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL smtp
ip inspect name FIREWALL sqlnet
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL tcp
ip inspect name FIREWALL tftp
ip inspect name FIREWALL udp
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL icmp
ip inspect name FIREWALL http
ip inspect name FIREWALL sip
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.42.1 192.168.42.50
ip dhcp excluded-address 192.168.42.76 192.168.42.254
!
ip dhcp pool NCLDHCP
network 192.168.42.0 255.255.255.0
default-router 192.168.42.1
dns-server ******
!
!
no ip domain lookup
ip host r2 192.168.42.254
ip name-server ******
ip name-server ******
ip name-server ******
ip name-server ******
vpdn enable
!
vpdn-group L2TPGroup
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
l2tp security crypto-profile L2TP_PROFILE
no l2tp tunnel authentication
!
!
async-bootp dns-server ******
!
!
username ****** privilege 15 password ******

archive
log config
hidekeys
!
!
!
!
!
crypto isakmp policy 15
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
authentication pre-share
crypto isakmp key ****** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group ******
key ******
pool VPN_IP_Pool
acl 140
backup-gateway ******
!
!
crypto ipsec transform-set NCL_Tran_Set esp-des esp-md5-hmac
crypto ipsec transform-set L2TP_TRANS_SET esp-des esp-md5-hmac
mode transport
!
crypto dynamic-map NCL_Dyn_Map 1
set transform-set NCL_Tran_Set
reverse-route remote-peer
!
!
crypto map NCL_CMap client authentication list NCL_AUTHEN
crypto map NCL_CMap isakmp authorization list NCL_AUTHOR
crypto map NCL_CMap client configuration address initiate
crypto map NCL_CMap client configuration address respond
crypto map NCL_CMap 20 ipsec-isakmp dynamic NCL_Dyn_Map
crypto map NCL_CMap 25 ipsec-isakmp profile L2TP_PROFILE
set transform-set L2TP_TRANS_SET
!
!
!
interface Loopback0
ip address 192.168.51.1 255.255.255.0
!
interface Loopback1
ip address 192.168.58.1 255.255.255.0
!
interface FastEthernet0/0
description LAN_PORT
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.42.253 255.255.255.0
ip inspect FIREWALL in
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
ip policy route-map NO_NAT
ip igmp query-interval 125
standby 1 ip 192.168.42.1
standby 1 priority 150
standby 1 preempt
standby 1 track ATM0/1/0 150
standby 1 track Dialer2 150
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.43.253 255.255.255.0
ip inspect FIREWALL in
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
ip policy route-map NO_NAT
standby 2 ip 192.168.43.1
standby 2 priority 150
standby 2 preempt
standby 2 track ATM0/1/0 150
standby 2 track Dialer2 150
!
interface FastEthernet0/1
description DMZ_PORT
ip address 192.168.60.1 255.255.255.0
ip access-group 130 in
ip inspect FIREWALL in
ip nat inside
ip virtual-reassembly
ip policy route-map NO_NAT
duplex auto
speed auto
!
interface ATM0/1/0
bandwidth 8096
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool L2TP_POOL
ppp authentication chap ms-chap
!
interface Dialer2
description INTERNET PORT
bandwidth 8096
ip address ******
ip access-group 124 in
ip inspect FIREWALL in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname ******
ppp chap password ******
crypto map NCL_CMap
!
ip local pool VPN_IP_Pool 192.168.50.100 192.168.50.150
ip local pool L2TP_POOL 192.168.58.2 192.168.58.5
no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer2
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source route-map NAT_MAP interface Dialer2 overload
!
logging 192.168.42.53
access-list 101 remark INTERNET NAT ACL
access-list 101 remark Deny VPN traffic from NAT process
access-list 101 deny ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 deny ip 192.168.43.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 deny ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 deny ip 192.168.203.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 deny ip 192.168.72.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 remark Match all other traffic for NAT
access-list 101 permit ip 192.168.42.0 0.0.0.255 any
access-list 101 permit ip 192.168.43.0 0.0.0.255 any
access-list 101 permit ip 192.168.60.0 0.0.0.255 any
access-list 101 permit ip 192.168.201.0 0.0.0.255 any
access-list 101 permit ip 192.168.71.0 0.0.0.255 any
access-list 101 permit ip 192.168.203.0 0.0.0.255 any
access-list 101 permit ip 192.168.72.0 0.0.0.255 any
access-list 124 remark FIREWALL ACL INTERNET
access-list 124 remark Permit incoming IKE VPN traffic
access-list 124 permit udp any any eq non500-isakmp
access-list 124 permit udp any any eq isakmp
access-list 124 permit esp any any
access-list 124 permit ahp any any
access-list 124 remark Permit Internet
access-list 124 permit tcp any any eq www
access-list 124 remark Permit Email
access-list 124 permit tcp any any eq smtp
access-list 124 remark Permit ICMP
access-list 124 permit icmp any any
access-list 124 remark Permit incoming PPTP
access-list 124 permit tcp any any eq 1723
access-list 124 permit gre any any
access-list 124 remark Permit incoming L2TP
access-list 124 permit udp any any eq 1701
access-list 124 remark Prevent spoof addresses
access-list 124 deny ip 10.0.0.0 0.255.255.255 any
access-list 124 deny ip 172.16.0.0 0.15.255.255 any
access-list 124 deny ip 192.160.0.0 0.15.255.255 any
access-list 124 deny ip 127.0.0.0 0.255.255.255 any
access-list 124 deny ip host 0.0.0.0 any
access-list 124 deny ip host 255.255.255.255 any
access-list 130 remark DMZ ACL
access-list 130 remark Permit DMZ to LAN Notes Ports
access-list 130 permit tcp host 192.168.60.x 192.168.42.0 0.0.0.255 eq 1352
access-list 130 permit tcp any any eq 1533
access-list 130 permit tcp host 192.168.60.x host 192.168.42.x eq 1503
access-list 130 permit tcp host 192.168.60.x host 192.168.42.x eq 1516
access-list 130 permit tcp host 192.168.60.x host 192.168.42.x eq 1503
access-list 130 permit tcp host 192.168.60.x host 192.168.42.x eq 1516
access-list 130 remark Deny DMZ to LAN all other ports
access-list 130 deny ip 192.168.60.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 130 remark Deny DMZ to Voice LAN
access-list 130 deny ip 192.168.60.0 0.0.0.255 192.168.43.0 0.0.0.255
access-list 130 remark Permit Server to everything else
access-list 130 permit ip host 192.168.60.x any
access-list 140 remark ISAKMP ACL
access-list 140 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 140 permit ip 192.168.43.0 0.0.0.255 192.168.43.0 0.0.0.255
access-list 140 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 140 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 140 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 140 permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 140 permit ip 192.168.70.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 140 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
access-list 141 remark NONAT ACL
access-list 141 permit ip 192.168.42.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 141 permit ip 192.168.43.0 0.0.0.255 192.168.43.0 0.0.0.255
access-list 141 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 141 permit ip 192.168.51.0 0.0.0.255 192.168.51.0 0.0.0.255
access-list 141 permit ip 192.168.60.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 141 permit ip 192.168.201.0 0.0.0.255 192.168.201.0 0.0.0.255
access-list 142 remark NONAT ACL
access-list 142 permit ip 192.168.42.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.43.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.50.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.51.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 142 permit ip 192.168.201.0 0.0.0.255 192.168.50.0 0.0.0.255
dialer-list 2 protocol ip permit
snmp-server community ****** RW
route-map NO_NAT permit 20
match ip address 141 142
set ip next-hop 192.168.51.2
!
route-map NAT_MAP permit 20
match ip address 101
set interface Dialer2
!
!
!
control-plane
!
alias exec crs copy run start
alias exec sr show run
!
line con 0
logging synchronous
login authentication NCL_AUTHEN
line aux 0
line vty 0 4
logging synchronous
login authentication NCL_AUTHEN
!
scheduler allocate 20000 1000
end

Quite a bit here! Router acts as IPSec server, DHCP server, L2TP server, has HSRP running (we have a second DLS connection) and is also performing Inter VLAN routing for a L2 switch, segregating voice and data networks

Thanks for your help Burt

 

[burtsbees]

I'll say! Right off top, I see that L2TP traffic is being NATted...

ip local pool L2TP_POOL 192.168.58.2 192.168.58.5

is not included in acl 101. Also, I usually just
deny any vpn_subnet
like
access-list 101 deny ip any 192.168.50.0 0.0.0.255
access-list 101 deny ip any host 192.168.58.2
access-list 101 deny ip any host 192.168.58.3
access-list 101 deny ip any host 192.168.58.4
access-list 101 deny ip any host 192.168.58.5
access-list 101 permit ip 192.168.42.0 0.0.0.255 any
access-list 101 permit ip 192.168.43.0 0.0.0.255 any
access-list 101 permit ip 192.168.60.0 0.0.0.255 any
access-list 101 permit ip 192.168.201.0 0.0.0.255 any
access-list 101 permit ip 192.168.71.0 0.0.0.255 any
access-list 101 permit ip 192.168.203.0 0.0.0.255 any
access-list 101 permit ip 192.168.72.0 0.0.0.255 any

or a permit any any to match the rest.

More later...

Burt

 

[burtsbees]

From Cisco...

SHOW RUNNING-CONFIG - VPN NOTIFICATIONS (if any)

INFO: Use the crypto ipsec security-association idle-time global configuration
commandto configure the IPsec SA idle timers feature in order to increase the availabilityof
resources by deleting SAs associated with idle peers. The IPSEC SA's created requires
both memory and several managed timers.
REFERENCE: For more information see IPSec Security Association Idle Timers

INFO: When setting up pre-share authentication within an ISAKMP policy, the same
key must be configured on both peers. If not, a 'debug crypto isakmp' will output;
'ISAKMP: reserved not zero on payload #'. This indicates a mismatching isakmp key
for the specified VPN peer.

WARNING: Interface Dialer2 has a NAT outside statement and crypto map
NCL_CMap declared.
Generally, IPSec traffic should be excluded from any NAT operation.
TRY THIS: Make sure that the traffic identified by the access-list used in crypto
map NCL_CMap's 'match address {access_list}' statement is excluded from the NAT
process.
REFERENCE: For more information, see: NAT (Network Address Translation)

CURRENT LOCAL SETTINGS:

Local Hostname: Router

Configured IP Domain Name: No IP Domain Name Configured

Crypto ISAKMP policy: 15
Hash: md5
Authentication: pre-share

Crypto ISAKMP policy: 20
Authentication: pre-share

ISAKMP key configured:
Key: ******
Destination address: 0.0.0.0 0.0.0.0
Key: ******
Destination address: 0.0.0.0 0.0.0.0

Transform-set configured: NCL_Tran_Set
Protocols Used: esp-des esp-md5-hmac
IPSec mode is Tunnel

Transform-set configured: L2TP_TRANS_SET
Protocols Used: esp-des esp-md5-hmac
IPSec mode is Transport

Interface Dialer2 configured with Crypto map NCL_CMap


WARNING: If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured
on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information,
and the LAN-to-LAN tunnel fails.This issue only applies to Cisco IOS and PIX 6.x.
Because it uses tunnel-groups, PIX/ASA 7.x is not affected by this issue.
TRY THIS: Use the no-xauth keyword when you enter the isakmp key, so the device
does not prompt the peer for XAUTH information (username and password). This keyword
disables XAUTH for static IPSec peers. Enter a command similar to this on the device
that has both L2L and RA VPN configured on the same crypto map.

INFO: In many cases, a simple typo can be to blame when an IPSec VPN tunnel does
not come up. For example, on the security appliance, pre-shared keys become hidden
once they are entered. This obfuscation makes it impossible to see if a key is
incorrect. Be certain that you have entered any pre-shared-keys correctly on each
VPN endpoint.

INFO: In many cases, a simple typo can be to blame when an IPSec VPN tunnel does
not come up. For example, on the security appliance, pre-shared keys become hidden
once they are entered. This obfuscation makes it impossible to see if a key is
incorrect. Be certain that you have entered any pre-shared-keys correctly on each
VPN endpoint.

I would pay particular attention to the XAUTH config...

Burt

 

[Jimtron26]

Thank you Burt,

Cisco seems to think there is something wrong with the IPSec config perhaps...?

Don`t ACL 141 and 142 cover the NAT issue highlighted? and no need to worry about the xauth... we don`t have a site to site VPN. I have come across this issue before, spent days researching to find only needed a single keyword! don`t you just love it?!



Appreciate the assistance

 

[burtsbees]

Actually, acl 141 and 142 are not needed since the NAT acl is actually 101---the route map separates nat and nonat traffic by being pointed to acl 101.