L2TP tunnel tussen Iphone en cisco ISR 3845 router - Netwerken

Vraag

zondag 7 november 2021 14:00

Acties:

0 Henk 'm!

Topicstarter

Hallo,

Sinds kort heb ik problemen om een L2TP tunnel op te bouwen tussen een cisco ISR 3845 router en mijn iphone 7.
Dit heeft jaren gewerkt en er is weinig aan de configuratie veranderd.
Ik heb voor het lokale lan enkel HSRP statements toegevoegd. Die configuratie werkt ook helemaal naar behoren.

als ik debug krijg ik volgende info te zien:

28224517: *Nov 7 12:51:07.056 UTC: L2TP: I SCCRQ from iPhone tnl 25
28224518: *Nov 7 12:51:07.056 UTC: AAA/BIND(0000018F): Bind i/f
28224519: *Nov 7 12:51:07.056 UTC: Tnl 15082 L2TP: Tunnel Authorization starte d for host iPhone
28224520: *Nov 7 12:51:07.056 UTC: Tnl 15082 L2TP: New tunnel created for remo te iPhone, address 188.188.153.8
28224521: *Nov 7 12:51:07.056 UTC: L2X: Tunnel author reply L2X info not found
28224522: *Nov 7 12:51:07.056 UTC: Tnl 15082 L2TP: Deny SCCRQ, Local interface for IP address 195.130.157.146 is down
28224523: *Nov 7 12:51:07.056 UTC: Tnl 15082 L2TP: Shutdown tunnel
28224524: *Nov 7 12:51:07.852 UTC: L2TP: I SCCRQ from iPhone tnl 25
28224525: *Nov 7 12:51:07.852 UTC: AAA/BIND(00000190): Bind i/f
28224526: *Nov 7 12:51:07.856 UTC: Tnl 1699 L2TP: Tunnel Authorization started for host iPhone
28224527: *Nov 7 12:51:07.856 UTC: Tnl 1699 L2TP: New tunnel created for remot e iPhone, address 188.188.153.8
28224528: *Nov 7 12:51:07.856 UTC: L2X: Tunnel author reply L2X info not found
28224529: *Nov 7 12:51:07.856 UTC: Tnl 1699 L2TP: Deny SCCRQ, Local interface for IP address 195.130.157.146 is down
28224530: *Nov 7 12:51:07.856 UTC: Tnl 1699 L2TP: Shutdown tunnel
28224531: *Nov 7 12:51:09.864 UTC: L2TP: I SCCRQ from iPhone tnl 25
28224532: *Nov 7 12:51:09.864 UTC: AAA/BIND(00000191): Bind i/f
28224533: *Nov 7 12:51:09.864 UTC: Tnl 53852 L2TP: Tunnel Authorization starte d for host iPhone

...

Ik weet alleen niet goed wat volgende melding inhoud:

L2X: Tunnel author reply L2X info not found. Ik vind er ook zeer weinig over op internet.

Ik probeer wat relevante configuratie te geven:

code:

aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication ppp default local
aaa authentication ppp VPDN_AUTH local
aaa authorization exec default local
!
aaa session-id common

vpdn enable
vpdn source-ip <mijn IP adres>
!
vpdn-group 1
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication

username <username> password 7 <paswoord>

crypto isakmp key <paswoord> address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
crypto isakmp nat keepalive 3600

crypto ipsec transform-set l2tppjk esp-3des esp-sha-hmac
 mode transport

crypto dynamic-map l2tppjk-map 10
 set nat demux
 set transform-set l2tppjk

interface GigabitEthernet0/0
 description De buitenwereld WAN
 ip address <extern IP> 255.255.255.248
 ip access-group 120 in
 ip verify unicast source reachable-via rx allow-default 102
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect autosec_inspect out
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
 no mop enabled
 crypto map cisco

interface GigabitEthernet0/1
 description "Lokaal LAN"
 ip address 10.10.10.9 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect firewall in
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
 standby 2 ip 10.10.10.1
 standby 2 priority 250
 standby 2 preempt

interface Virtual-Template1
 description "VPN Verbinding met Iphones"
 ip unnumbered GigabitEthernet0/0
 ip access-group 130 in
 ip nat inside
 ip virtual-reassembly
 load-interval 30
 peer default ip address pool PPTP-Pool
 no keepalive
 ppp encrypt mppe 128
 ppp authentication chap ms-chap ms-chap-v2 VPDN_AUTH
 ppp ipcp dns 10.10.10.80 10.10.10.81

ip local pool PPTP-Pool 10.10.50.30 10.10.50.40

ip nat pool VPNPHONE-POOL 10.10.50.0 10.10.50.255 netmask 255.255.255.0

ip nat inside source list 130 interface GigabitEthernet0/0 overload

access-list 130 permit tcp 10.10.50.0 0.0.0.255 any
access-list 130 permit udp 10.10.50.0 0.0.0.255 any
access-list 130 permit icmp 10.10.50.0 0.0.0.255 any
access-list 130 permit esp 10.10.50.0 0.0.0.255 any
access-list 130 permit gre 10.10.50.0 0.0.0.255 any
access-list 130 deny   ip any any

Ik heb me al suf gezocht op internet maar wat die tunnel reply author info not found inhoud of enige info om verder te troubleshooten daaromtrent kom ik niet echt tegen]

L2X: Tunnel author reply L2X info not found
28224529: *Nov 7 12:51:07.856 UTC: Tnl 1699 L2TP: Deny SCCRQ, Local interface for IP address 195.130.157.146 is down

Cisco3845# show debugging
General OS:
AAA Authentication debugging is on
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
PPP:
PPP authentication debugging is on
PPP protocol negotiation debugging is on

Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on

De keypairs voor de VPN tunnel worden wel correct uitgewisseld. Zie boven welke debug commando's ik heb gebruikt.

Kunnen jullie mij even op weg helpen om verder te troubleshooten? Welke info mist er nog volgens jullie?
ben ik nog parameters op een bepaalde interface vergeten?

Ik zou ook graag weten wat de melding precies inhoud...
Ik loop hiermee nu echt wat vast.

Heel erg bedankt voor de hulp!

...

Reageer