Cisco ISR with Windows L2TP VPN

Question

I have a Server 2012 box running PPTP and L2TP VPN services behind a Cisco 1841 ISR. My NAT rules allow the PPTP traffic to connect, however I cannot complete a connection with L2TP. The relevant NAT rules are below:

ip nat inside source static udp 192.168.62.2 500 1.2.3.4 500 extendable
ip nat inside source static udp 192.168.62.2 1701 1.2.3.4 1701 extendable
ip nat inside source static tcp 192.168.62.2 1723 1.2.3.4 1723 extendable
ip nat inside source static udp 192.168.62.2 4500 1.2.3.4 4500 extendable

Is there something else I need to enable on the 1841? I tried turning on ESP and allowing isakmp and esp via access-lists. However the first access-list rule should allow that all through anyway, so no I'm at a loss.

Answer 1

PPTP has nothing to do with L2TP. PPTP uses gre to transport payload and tcp/1723 as control channel, while L2TP uses udp/1701 as single channel, that can be further encrypted by the ipsec. By the way, Windows out-of-the-box does enforce ipsec on L2TP.

Thus your NAT settings have nothing to do with L2TP/ipsec you are trying to pass through your gateway, because you should pass udp/500 and ah/esp protocols (the latter does depend on the security policy that Windows VPN hub is enforcing, and AH won't work though NAT at all). Furthermore, having a VPN hub behind a Cisco gateway that you control is a total nonsense, because Cisco is capable of both dot1q encapsulation and VPN termination, including l2tp with or without ipsec. So either give your Windows VPN hub full WAN connectivity via vlan, or configure the VPN server on the Cisco.