Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
871
Views
0
Helpful
9
Replies

VPN L2TP/IPSEC CAN'T CONNECT TO LOCAL NETWORK

Go to solution
drozen789
Level 1
Level 1

‎10-07-2023 07:59 AM - last edited on ‎10-07-2023 08:21 AM by Community Manager

Hi, i have a problem with my vpn, i can correctly establish the vpn, but i have no ping or communication with the local network, what i missing or what i have configured incorrectly on my router, i will share my configuration with us:

 

RT-CLOA#show running-config
Building configuration...


Current configuration : 5936 bytes
!
! Last configuration change at 11:41:03 CST Sat Oct 7 2023 by Cloa_vpn
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname RT-CLOA
!
boot-start-marker
boot-end-marker
!
!
enable secret xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
!
!
!
!
!
aaa session-id common
clock timezone CST -4 0
!
no ip domain lookup
ip dhcp excluded-address 192.168.70.1 192.168.70.100
ip dhcp excluded-address 192.168.70.254
!
ip dhcp pool CLOA-LAN
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
domain-name cloa.cl
dns-server 192.168.70.21 200.72.1.5 200.72.1.11
lease 2
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group VPN-CLINICA
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
crypto pki trustpoint TP-self-signed-1979736926
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1979736926
revocation-check none
rsakeypair TP-self-signed-1979736926
!
!
crypto pki certificate chain TP-self-signed-1979736926
!
license udi pid C1111-8P sn FGL2416L6PW
license boot level securityk9
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username xxxxx password 0 xxxxxx
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp xxxxxx address 0.0.0.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map mymap 1
set nat demux
set transform-set myset
!
!
crypto map mymap 1 ipsec-isakmp dynamic mymap
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address xxxxxxxxx 255.255.255.252
ip nat outside
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/0
ip nat inside
peer default ip address pool VPN
ppp authentication ms-chap-v2
!
interface Vlan1
description IP local 192.168.70.1
ip address 192.168.70.1 255.255.255.0
ip nat inside
!
ip local pool VPN 10.10.10.1 10.10.10.5
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat pool CLOA-LAN xxxxxxx xxxxxxxx netmask 255.255.255.252
ip nat inside source static tcp 192.168.70.61 22000 interface GigabitEthernet0/0/0 22000
ip nat inside source static tcp 192.168.70.21 1433 interface GigabitEthernet0/0/0 1433
ip nat inside source static tcp 192.168.70.28 8443 interface GigabitEthernet0/0/0 8443
ip nat inside source static tcp 192.168.70.21 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source static tcp 192.168.70.71 8001 interface GigabitEthernet0/0/0 8001
ip nat inside source list 1 pool CLOA-LAN overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxx
!
!
access-list 1 permit 192.168.70.0 0.0.0.255
!
!
!
!
!
!
control-plane
!

!
line con 0
password xxxx
transport input none
stopbits 1
line vty 0 4
password xxxx
transport input all
!
!
!
!
!
!
end

RT-CLOA#

 

I need to the VPN network to be able to access this local network on router: 192.168.70.0/24

Please guys, help me, i has trying almost everything.

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to drozen789

‎10-09-2023 11:46 PM

@drozen789 if as you've said you've already established the VPN then you would be licensed.

Please can you provide the updated configuration and the output of "show crypto ipsec sa".

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎10-07-2023 09:43 AM

@drozen789 possibly a NAT issue, change your NAT ACL to deny traffic from your internal network to the VPN IP pool, this will exclude this traffic from being translated. You will need to use an extended ACL, example:

access-list 101 deny ip 192.168.70.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.70.0 0.0.0.255 any

no ip nat inside source list 1 pool CLOA-LAN overload
ip nat inside source list 101 pool CLOA-LAN overload
0 Helpful

Go to solution
drozen789
Level 1
Level 1
In response to Rob Ingram

‎10-09-2023 05:22 PM - edited ‎10-09-2023 05:24 PM

Hi rob, thank you very much for your help friend, and sorry for responding so late, i've been very busy, i tried your solution, but i still can't connect to the local network, this already has me a little frustrated, i've tried everything, now i don't know what to try.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to drozen789

‎10-09-2023 11:46 PM

@drozen789 if as you've said you've already established the VPN then you would be licensed.

Please can you provide the updated configuration and the output of "show crypto ipsec sa".

0 Helpful

Go to solution
drozen789
Level 1
Level 1
In response to Rob Ingram

‎10-10-2023 08:32 AM

Hi rob, i think that is the problem, we do not have the security license purchased, but we are using a trial version that ends in a few weeks, even if we are using the trial version, we will not be able to access the local network?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to drozen789

‎10-10-2023 08:44 AM

@drozen789 if you have a valid trial security license then you should be able to establish a VPN. Have you actually established the IPSec SA?

Please can you provide the updated configuration and the output of "show crypto ipsec sa".

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎10-09-2023 11:00 PM

Secuirty license must activate to make l2tp/ipsec access local LAN.

0 Helpful

Go to solution
drozen789
Level 1
Level 1
In response to MHM Cisco World

‎10-10-2023 08:39 AM

Hi friend, we have the Cisco ISR router Model c1111-8p, who is the right cisco security licence for that model, i need to buy it

0 Helpful

Go to solution
mecker
Level 1
Level 1

‎10-10-2023 01:32 AM

Hi,

i have the same Problem on my Config. The Securityk9 License is activate. Any Ideas..

CiscoKern#show license summary
Account Information:
Smart Account: <none>
Virtual Account: <none>

License Usage:
License Entitlement Tag Count Status
-----------------------------------------------------------------------------
securityk9 (ISR_1100_8P_Security) 1 IN USE

 

0 Helpful

Go to solution
mecker
Level 1
Level 1

‎10-10-2023 10:45 PM

Hi, @drozen789 you have accepted the solution. Work the Access to the Lan? I have the same config an the securityk9 License installed. The Tunnel is on but no connection to Lan is possible.

0 Helpful
Customers Also Viewed These Support Documents