Meraki

LaurentUlmi · ‎Jan 27 2022

Hello

I need to establish an L2TP tunnel from a Cisco device connected on the LAN behind an MX firewall to another Cisco device on the Internet.

The public IP of the peer can be reached from the LAN (ping is ok from the LAN interface of the MX or from the core switch).

When I run a capture from the MX, I can see the following continuously :

No. Time Source Destination Protocol Length Info
34 63.916202 10.128.2.55 1xx.xxx.xxx.xx4 L2TPv3 233 Control Message - SCCRQ (tunnel id=0)
35 64.915625 10.128.2.55 1xx.xxx.xxx.xx4 L2TPv3 233 Control Message - SCCRQ (tunnel id=0)
36 66.915588 10.128.2.55 1xx.xxx.xxx.xx4 L2TPv3 233 Control Message - SCCRQ (tunnel id=0)
37 69.999936 Cisco_49:02:e6 Cisco_49:02:e6 LOOP 64 Reply
38 70.915855 10.128.2.55 1xx.xxx.xxx.xx4 L2TPv3 129 Control Message - StopCCN (tunnel id=0)

The tunnel is never established.

I have no specific ACL on the MX or the core.

Do you have any idea where to look at ? I 've no specific log.

Could it be related to the L2TP configuration ?

If I connect the Cisco device directly on a DSL line, the L2TP tunnel is established immediatly.

Thanks

Regards

Aztec_Ninja · ‎Jan 27 2022

You can find logs here >

Network-wide > Monitor > Event Log > Filter by All-Non Meraki VPN /Client VPN

LaurentUlmi · ‎Jan 27 2022

Thanks for your reply.

When I said I had no log, I meant I can find logs related to any error in the Event logs.

Regards

PhilipDAth · ‎Jan 27 2022

I don't think you'll get L2TP working through a NAT device. You'd need to use something like L2TP over IPSec (note you could use the NULL encryption "cipher").

When it was working on the DSL device - did the DSL router have the public IP on it so there was no NAT?

MLG · ‎Jan 27 2022

I confirm when it was working on the DSL device, the DSL router have the public IP ; so it performs NAT translation.

LaurentUlmi · ‎Jan 27 2022

Thanks for your message.

We will try to connect the router directly on one available LAN port of the firewall to be as if we were behind the DSL box (e.g by bypassing the core switch).

Laurent

LUX-Merakifyer

Hi Laurent.

I contact you just to check if since 2 years more you did solve your problem ?

I currently face a similar issue with a VPN L2TP box behind my MX250, but only when I want to dedicated a specific outgoing public IP via 1:1 NAT

I soon as I let the default NAT to the MX public IP, then it works:

09:41:57.422969 IP 192.168.99.200.1701 > 185.28.206.222.1701: l2tp:[](35470/1) {compressed PPP data}
09:41:57.434682 IP 192.168.99.200.1701 > 185.28.206.222.1701: l2tp:[](35470/1) {compressed PPP data}
09:41:57.436562 IP 185.28.206.222.1701 > 192.168.99.200.1701: l2tp:[](6/1) {compressed PPP data}
09:41:57.436683 IP 185.28.206.222.1701 > 192.168.99.200.1701: l2tp:[](6/1) {compressed PPP data}
09:41:57.467285 IP 192.168.99.200.1701 > 185.28.206.222.1701: l2tp:[](35470/1) {compressed PPP data}
09:41:57.469021 IP 185.28.206.222.1701 > 192.168.99.200.1701: l2tp:[](6/1) {compressed PPP data}
09:41:57.470148 IP 192.168.99.200.1701 > 185.28.206.222.1701: l2tp:[](35470/1) {compressed PPP data}
09:41:57.484786 IP 192.168.99.200.1701 > 185.28.206.222.1701: l2tp:[](35470/1) {compressed PPP data}

I have a bad feeling some flow may have to be allowed on inbound connection, because indeed like said Philip L2TP is not like IPSec...

LaurentUlmi

Hi LUX-Merakifyer,

thanks for asking 😀 and thanks for the solution you proposed.

To be honest, I don't remember clearly how we solve the issue we were facing.

Laurent

Meraki

Community

L2TPv3 through MX

L2TPv3 through MX