Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

Introduction

Hardware and Software Versions

Network Diagram

Configurations

LAC Configuration

LNS Configuration

debug Commands

Related Information

Introduction

Use this sample configuration to encrypt Layer 2 Tunneling Protocol (L2TP) traffic using IPSec for users dialing in.

Hardware and Software Versions

This configuration was developed and tested using the software and hardware versions below.

PC dialup client
L2TP Network Server (LNS)
L2TP access concentrator (LAC)
Internet Protocol Security (IPSec) encrypted tunnel

Network Diagram

Configurations

LAC Configuration
Current configuration: ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname LAC ! enable password ! username LAC password ip subnet-zero ! !--- Enable VDPN. vpdn enable ! vpdn search-order domain vpdn-group 1 request dialin l2tp ip 20.1.1.2 domain cisco.com local name LAC ! !--- Create Internet Key Exchange (IKE) policy 1, which would be !--- given highest priority if there were additional IKE policies. !--- Specify policy using pre-shared key for authentication, !--- Diffie-Hellman group 2, lifetime and peer address. crypto isakmp policy 1 authentication pre-share group 2 lifetime 3600 crypto isakmp key cisco address 20.1.1.2 ! !--- Create IPSEC transform set named "testtrans" !--- using DES for ESP with transport mode. !--- Note that AH is not used. crypto ipsec transform-set testtrans esp-des ! !--- Create crypto map l2tpmap (assigned to Serial 0), using IKE for !--- Security Associations with map-number 10 !--- and using "testrans" transform-set as a template. !--- Set the peer and specifies access list 101, which is used !--- to determine which traffic (L2TP) is to be protected by IPSec. crypto map l2tpmap 10 ipsec-isakmp set peer 20.1.1.2 set transform-set testtrans match address 101 ! interface Ethernet0 ip address 10.31.1.6 255.255.255.0 no ip directed-broadcast ! interface Serial0 ip address 20.1.1.1 255.255.255.252 no ip directed-broadcast no ip route-cache no ip mroute-cache no fair-queue !---Assign crypto map l2tpmap to interface. crypto map l2tpmap ! interface Async1 ip unnumbered Ethernet0 no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache async mode dedicated peer default ip address pool my_pool ppp authentication chap ! !--- Create IP Pool named "my_pool" and specify IP range. ip local pool my_pool 10.31.1.100 10.31.1.110 ip classless ip route 0.0.0.0 0.0.0.0 10.31.1.1! !---Specify L2TP traffic as interesting to use with IPSec. access-list 101 permit udp host 20.1.1.1 eq 1701 host 20.1.1.2 eq 1701 ! tftp-server flash:c2500-js56i-l.120-2a.T1.bin ! line con 0 exec-timeout 0 0 transport input none line 1 autoselect during-login autoselect ppp modem InOut transport input all speed 38400 flowcontrol hardware line aux 0 line vty 0 4 password

LAC Configuration

Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname LAC
!
enable password 
!
username LAC password 
ip subnet-zero
!
!--- Enable VDPN. 
vpdn enable
!
vpdn search-order domain 
vpdn-group 1
request dialin l2tp ip 20.1.1.2 domain cisco.com
local name LAC
!
!--- Create Internet Key Exchange (IKE) policy 1, which would be
!--- given highest priority if there were additional IKE policies.
!--- Specify policy using pre-shared key for authentication,
!--- Diffie-Hellman group 2, lifetime and peer address.
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 20.1.1.2 
!
!--- Create IPSEC transform set named "testtrans" 
!--- using DES for ESP with transport mode.
!--- Note that AH is not used.
crypto ipsec transform-set testtrans esp-des 
!
!--- Create crypto map l2tpmap (assigned to Serial 0), using IKE for
!--- Security Associations with map-number 10
!--- and using "testrans" transform-set as a template.
!--- Set the peer and specifies access list 101, which is used 
!--- to determine which traffic (L2TP) is to be protected by IPSec.
crypto map l2tpmap 10 ipsec-isakmp 
set peer 20.1.1.2
set transform-set testtrans 
match address 101
!
interface Ethernet0
ip address 10.31.1.6 255.255.255.0
no ip directed-broadcast
!
interface Serial0
ip address 20.1.1.1 255.255.255.252
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no fair-queue
!---Assign crypto map l2tpmap to interface. 
crypto map l2tpmap
!
interface Async1
ip unnumbered Ethernet0
no ip directed-broadcast
encapsulation ppp
no ip route-cache
no ip mroute-cache
async mode dedicated
peer default ip address pool my_pool
ppp authentication chap
!
!--- Create IP Pool named "my_pool" and specify IP range. 
ip local pool my_pool 10.31.1.100 10.31.1.110
ip classless
ip route 0.0.0.0 0.0.0.0 10.31.1.1!
!---Specify L2TP traffic as interesting to use with IPSec. 
access-list 101 permit udp host 20.1.1.1 eq 1701 host 20.1.1.2 eq 1701
!
tftp-server flash:c2500-js56i-l.120-2a.T1.bin
!
line con 0
exec-timeout 0 0
transport input none
line 1
autoselect during-login
autoselect ppp
modem InOut
transport input all
speed 38400
flowcontrol hardware
line aux 0
line vty 0 4
password

LNS Configuration
Current configuration: ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname LNS ! enable password ! username LNS password ip subnet-zero ! !--- Enable VDPN. vpdn enable ! !--- Configure vpdn group 1 to accept an open tunnel request from LAC, !--- define L2TP as the protocol, and identify virtual-template 1 !--- to use for cloning virtual access interfaces. vpdn-group 1 accept dialin l2tp virtual-template 1 remote LAC local name LNS ! !--- Create Internet Key Exchange (IKE) policy 1, which would be !--- given highest priority if there were additional IKE policies. !--- Specify policy using pre-shared key for authentication, !--- Diffie-Hellman group 2, lifetime and peer address. crypto isakmp policy 1 authentication pre-share group 2 lifetime 3600 crypto isakmp key cisco address 20.1.1.1 ! ! !--- Create IPSEC transform set named "testtrans" !--- using DES for ESP with transport mode. !--- Note that AH is not used. crypto ipsec transform-set testtrans esp-des ! !--- Create crypto map l2tpmap (assigned to Serial 0), using IKE for !--- Security Associations with map-number 10 !--- and using "testrans" transform-set as a template. !--- Set the peer and specifies access list 101, which is used !--- to determine which traffic (L2TP) is to be protected by IPSec. crypto map l2tpmap 10 ipsec-isakmp set peer 20.1.1.1 set transform-set testtrans match address 101 ! interface Ethernet0 ip address 200.1.1.100 255.255.255.0 no ip directed-broadcast no keepalive ! !--- Create virtual-template interface used for "cloning" !--- virtual-access interfaces using address pool "mypool" !--- with Challenge Authentication Protocol (CHAP) authentication. interface Virtual-Template1 ip unnumbered Ethernet0 no ip directed-broadcast no ip route-cache peer default ip address pool mypool ppp authentication chap ! interface Serial0 ip address 20.1.1.2 255.255.255.252 no ip directed-broadcast no ip route-cache no ip mroute-cache no fair-queue clockrate 1300000 !--- Assign crypto map l2tpmap to interface. crypto map l2tpmap ! !--- Create IP Pool named "mypool" and specify IP range. ip local pool mypool 200.1.1.1 200.1.1.10 ip classless ! !--- Specify L2TP traffic as interesting to use with IPSec. access-list 101 permit udp host 20.1.1.2 eq 1701 host 20.1.1.1 eq 1701 ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 password login ! end

LNS Configuration

Current configuration:
!
version 12.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname LNS
!
enable password 
!
username LNS password 
ip subnet-zero
!
!--- Enable VDPN.
vpdn enable
!
!--- Configure vpdn group 1 to accept an open tunnel request from LAC,
!--- define L2TP as the protocol, and identify virtual-template 1
!--- to use for cloning virtual access interfaces.
vpdn-group 1
accept dialin l2tp virtual-template 1 remote LAC
local name LNS
!
!--- Create Internet Key Exchange (IKE) policy 1, which would be
!--- given highest priority if there were additional IKE policies.
!--- Specify policy using pre-shared key for authentication,
!--- Diffie-Hellman group 2, lifetime and peer address.
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 20.1.1.1 
!
!
!--- Create IPSEC transform set named "testtrans" 
!--- using DES for ESP with transport mode.
!--- Note that AH is not used.
crypto ipsec transform-set testtrans esp-des 
!
!--- Create crypto map l2tpmap (assigned to Serial 0), using IKE for
!--- Security Associations with map-number 10
!--- and using "testrans" transform-set as a template.
!--- Set the peer and specifies access list 101, which is used 
!--- to determine which traffic (L2TP) is to be protected by IPSec.
crypto map l2tpmap 10 ipsec-isakmp 
set peer 20.1.1.1
set transform-set testtrans 
match address 101
!
interface Ethernet0
ip address 200.1.1.100 255.255.255.0
no ip directed-broadcast
no keepalive
!
!--- Create virtual-template interface used for "cloning"
!--- virtual-access interfaces using address pool "mypool" 
!--- with Challenge Authentication Protocol (CHAP) authentication.
interface Virtual-Template1
ip unnumbered Ethernet0
no ip directed-broadcast
no ip route-cache
peer default ip address pool mypool
ppp authentication chap
!
interface Serial0
ip address 20.1.1.2 255.255.255.252
no ip directed-broadcast
no ip route-cache
no ip mroute-cache
no fair-queue
clockrate 1300000
!--- Assign crypto map l2tpmap to interface. 
crypto map l2tpmap
!
!--- Create IP Pool named "mypool" and specify IP range.
ip local pool mypool 200.1.1.1 200.1.1.10
ip classless
!
!--- Specify L2TP traffic as interesting to use with IPSec. 
access-list 101 permit udp host 20.1.1.2 eq 1701 host 20.1.1.1 eq 1701
!
line con 0
exec-timeout 0 0
transport input none
line aux 0
line vty 0 4
password 
login
!
end

`debug` Commands

Before issuing debug commands, please see Important Information on Debug Commands.

debug crypto engine - Displays engine events.

debug crypto ipsec - Displays IPSec events.

debug crypto isakmp - Displays messages about Internet Key Exchange (IKE) events.

debug ppp authentication - Displays authentication protocol messages, including Challenge Authentication Protocol (CHAP) packet exchanges and Password Authentication Protocol (PAP) exchanges.

debug vpdn events - Displays messages about events that are part of normal tunnel establishment or shutdown.

debug vpdn errors - Displays errors that prevent a tunnel from being established or errors that cause an established tunnel to be closed.

debug ppp negotiation - Displays PPP packets transmitted during PPP startup, where PPP options are negotiated.

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

Contents

Introduction

Hardware and Software Versions

Network Diagram

Configurations

debug Commands

Related Information

`debug` Commands