Double-export l2tp over ipsec dialing is not successful

Publication Date:  2012-10-30 Views:  188 Downloads:  0
Issue Description
User network structure is as follows:

User has two exports, and apply l2tp over ipsec policy under the GigabitEthernet0/0/0 interface. L2tp over ipsec dialing can't succeed, only to the third step "IKE consultation finished", but independent dialing l2tp can succeed.


Alarm Information
none
Handling Process
1. Check the user l2tp over ipsec configuration, and configuration is correct.
2. Test in client, when directly dialing l2tp, it succeed, Ike sa and ipsec sa all establish successfully when l2tp over ipsec. The client can dialing to the third step. The test public network address is 218.17.167.141, private network address is 192.168.253.4.
[USG2200]dis ipsec sa brief
11:51:39  2012/03/27
current ipsec sa number: 4
current ipsec tunnel number: 2
--------------------------------------------------------------
Src Address     Dst Address     SPI        VPN  Protocol  Algorithm
-------------------------------------------------------------------
222.89.219.140  222.177.165.38  3195651139 0    ESP       E:3DES;A:HMAC-SHA1-96;
219.157.77.42   218.17.167.141  2829758394 0    ESP       E:DES;A:HMAC-MD5-96;
218.17.167.141  219.157.77.42   1609816794 0    ESP       E:DES;A:HMAC-MD5-96;
222.177.165.38  222.89.219.140  2989732539 0    ESP       E:3DES;A:HMAC-SHA1-96;

[USG2200]dis ipse sa
11:52:28  2012/03/27
===============================
Interface: GigabitEthernet0/0/0
    path MTU: 1500
===============================
  -----------------------------
  IPsec policy name: "policy11"
  sequence number: 1
  mode: template
  vpn: 0
  -----------------------------
    connection id: 3529
    rule number: 65535
    encapsulation mode: tunnel
    holding time: 0d 0h 0m 5s
    tunnel local : 219.157.77.42    tunnel remote: 218.17.167.141
    flow      source: 219.157.77.42/255.255.255.255 17/1701
    flow destination: 192.168.253.4/255.255.255.255 17/5279
[USG2200]dis ike sa
11:52:25  2012/03/27
current ike sa number: 5
  ---------------------------------------------------------------------
  connection-id  peer                    vpn   flag        phase   doi
  --------------------------------------------------------------------
   0xdc9         218.17.167.141:0802     0     RD          v1:2    IPSEC
   0xdc8         218.17.167.141:0802     0     RD          v1:1    IPSEC
   0xda6         222.177.165.38          0     RD|ST       v1:2    IPSEC
   0xd8c         222.177.165.38          0     RD|ST       v1:1    IPSEC
   0xd96         222.89.219.140:1594     0     RD          v1:1    IPSEC
3. Check the routing of the public network address 218.17.167.141 and private network address 192.168.253.4, and find that the route of two address do not go out from the interface GigabitEthernet0/0/0 of application L2TP OVER IPSEC dialing IPSEC policy, the user default routing go out from GigabitEthernet0/0/1 interface, which lead to l2tp message does not match the corresponding ipsec policy, caused the dialing failure.
[USG2200]display ip routing-table  192.168.253.4
12:26:53  2012/03/27
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface
0.0.0.0/0   Static 60   0           D  222.89.219.129  GigabitEthernet0/0/1
[USG2200]display ip routing-table  218.17.167.141
12:27:03  2012/03/27
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface
0.0.0.0/0   Static 60   0           D  222.89.219.129  GigabitEthernet0/0/1
4. Modify routing configuration, dialing again and succeed:
The configuration is as follows:
ip route-static 218.17.167.141 255.255.255.255 219.157.77.41
ip route-static  192.168.253.4  255.255.255.255  219.157.77.41

5. Suggest that users modify the default routing configuration, the default routing go out from GigabitEthernet0/0/0 interface first, and L2TP OVER IPSEC dialing will become normal.
Root Cause
Maybe the user ipsec configuration is error.
Suggestions
none

END