Surely you know the situation where you need to solve a problem that you did not expect. One of such situations that we have faced was to provide secure L2 connectivity between our HQ in Prague and demo site in Kyiv. Since the only requirement we had at the time of hardware purchase was to provide IPSec VPN from remote demo site throught Internet to HQ, we chose and bought Cisco ISR 2901 with Security license. On the HQ side we had planned to terminate IPSec tunnel on existing Cisco ISR 1811.
At the moment of implementation the new requirement arose: "We need to extend VLAN9 of our Prague LAN to Kyiv and we still need to do it in secure way". What to do now? Finally we decided to provide secure L2 tunnel using L2TPv3 protected by IPSec. The only thing we needed was to purchase additional Data licence for Kyiv router 2901.
You can see our network topology at this scheme:
 |
| Network scheme |
The important part of routers' configurations are provided here:
RTR1
l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
pseudowire-class vlan-xconnect
encapsulation l2tpv3
ip local interface Loopback0
ip tos reflect
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxx address 2.2.2.2
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 2.2.2.2
set transform-set ESP-AES256-SHA
match address 100
!
interface Loopback0
description L2TP source if
ip address 10.1.11.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.224
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1.9
encapsulation dot1Q 9
no ip proxy-arp
xconnect 10.22.254.53 1 pw-class vlan-xconnect
!
access-list 100 permit ip host 10.1.11.1 host 10.22.254.53
RTR2
l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxx address 1.1.1.1
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 1.1.1.1
set transform-set ESP-AES256-SHA
match address 100
!
pseudowire-class vlan-xconnect
encapsulation l2tpv3
ip local interface Loopback0
ip tos reflect
!
interface Loopback0
description L2TP source if
ip address 10.22.254.53 255.255.255.255
!
interface FastEthernet0
ip address 2.2.2.2 255.255.255.224
no ip proxy-arp
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet1.9
encapsulation dot1Q 9
no ip proxy-arp
xconnect 10.1.11.1 1 pw-class vlan-xconnect
!
access-list 100 permit ip host 10.22.254.53 host 10.1.11.1
How does it work?
It is not a rocket science. The network traffic from VLAN9 subinterfaces (Gi0/1.9 and Fa1.9) are "xconnected", it means encapsulated, to L2TPv3. Destination address of L2TP packets is defined in xconnect command. Source IP address is defined in pw-class with "vlan-xconnect" name. We use Loopback 0 as source IP. Based on destination IP address traffic is routed through WAN interfaces (Gi0/0 and Fa0) where crypto map SDM_CMAP_1 is defined. Using ACL 100 the traffic between Loopbacks of both routers is matched and thus is encrypted with ESP. On the other side the traffic is decrypted, "xconnected", it means decapsulated from L2TP and sent on VLAN9 subinterface.
That's what we needed to achieve!
Used IOSes
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M3, RELEASE SOFTWARE (fc2) with IP Base, Security and Data licenses
Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
