RE: l2tp thru NAT

From: Menga, Justin (Justin.Menga@xxxxxxxxxx)
Date: Tue Oct 09 2001 - 01:25:08 GMT-3

• Next message: Menga, Justin: "RE: CCIE Lab Book"
• Previous message: caix: "lab swap bj from 11/5 to the end of Nov. or Dec."
• Maybe in reply to: Brian: "l2tp thru NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Brian,

Are you using IPSec to secure the tunnel?

Regards
Justin Menga CCIE #6640
Network Solutions Architect
Wireless & E-Infrastructure
Compaq Computer New Zealand
DDI: +64-9-918-9381 Mobile: +64-21-349-599
mailto: justin.menga@compaq.com
web: http://www.compaq.co.nz

-----Original Message-----
From: Daniel Prinsloo [mailto:daniel@prove-it.co.uk]
Sent: Tuesday, 9 October 2001 10:58 a.m.
To: Brian
Cc: ccielab@groupstudy.com
Subject: Re: l2tp thru NAT

Brian,

I do not think this will work as the two devices (3640 and W2K) will not
be able to achieve a SA as the address for the SA will be hidden inside
the negotiation that is not picked up by the NAT statement. My
suggestion would be to give the W2K machine a legal address and make a
static route for it on the 2514.

Anybody else?

Brian wrote:

> I am trying to establish an l2tp session from a win2k box to a 3640.
> The win2k box is natted behind a 2514. Should this work? I wasn't
> seeing anything hit the 3640 with debug vpdn l2x-events/l2x-errors.
> On the 3640 I am doing like:
>
> username vpntest password vpntest
>
> vpdn enable
> vpdn-group vpngroup
> accespt-dialin
> protocol l2tp
> virtual-template 1
> terminate-from hostname user
> local name andromeda
> l2tp tunnel password vpntest
>
> interface virtual-template 1
> ip unnumbered f2/0.161
> peer default ip address pool vpnpool
> ppp authentication chap
>
> ip local pool vpnpool 10.1.1.129 10.1.1.190
>
>
> on the win2k side, I am setting the username and password, setting it
> for l2tp, unencrypted (no ipsec), but I don't see in win2k where I set
> the actual tunnel password itself..........I assume that
> "terminate-from hostname user" will want the win2k box to have a
> windows hostname of "user". I thought maybe nat was messing with this
> since my debugs came up short.
>
> Brian
>
>
> -----------------------------------------------
> Brian Feeny, CCIE #8036 e: signal@shreve.net
> Network Engineer p: 318.222.2638x109
> ShreveNet Inc. f: 318.221.6612

--
Daniel Prinsloo
Prove IT
daniel@prove-it.co.uk
www.prove-it.co.uk
ICQ 42743324
Fax 0870 135 7712

• Next message: Menga, Justin: "RE: CCIE Lab Book"
• Previous message: caix: "lab swap bj from 11/5 to the end of Nov. or Dec."
• Maybe in reply to: Brian: "l2tp thru NAT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 20 2002 - 22:33:15 GMT-3