IPSec over L2TP
Okapi > Link layer interfaces > IPSEC over L2TP

 

Introduction

 

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host. Tunnel mode is used to create Virtual Private Networks for network-to-network communications, host-to-network communications, and host-to-host communications. In tunnel mode, the entire IP packet is encrypted. It is then encapsulated into a new IP packet with a new IP header.

The following configuration will demonstrate how to establish an l2tp tunnel with ipsec. First we have to create a tunnel between the two routers and then run ipsec over it, so that the data exchanged between the machines at the two ends is encrypted.

To start the configuration, consider the following network scenario in which there are three LAN segments and two routers. The network machines must be configured for their IP addresses and appropriate default routes as indicated below.

 

Network Diagram

Configuration

 

Machine-1 

root@machine-1# ifconfig eth0 172.168.1.1/16
root@machine-1# route add default gw 172.168.1.2

Machine-2 

root@machine-2# ifconfig eth0 192.168.1.2/16
root@machine-2# route add default gw 192.168.1.1

Now lets configure Okapi router as follows: 

Okapi(config)# interface FastEthernet 0
Okapi(config-if-eth)# ip address 172.168.1.2 255.255.0.0
Okapi(config-if-eth)# no shutdown 
Okapi(config)# interface FastEthernet 1
Okapi(config-if-eth)# ip address 100.1.1.1 255.255.0.0
Okapi(config-if-eth)# no shutdown 
Okapi(config)# l2tp-class c1
Okapi(config-l2tp-class)# exit 
Okapi(config)# pseudowire-class c2
Okapi(config-pw-class)# protocol l2tpv2 c1
Okapi(config-pw-class)# exit

Here we are creating l2tp tunnel with chap authentication. It is important to note here that before we configure and start l2tp client on the Okapi router with following configuration, an l2tp server must be running on Router-B with the same authentication method and username-password. 

Okapi(config)# interface Virtual-PPP 0
Okapi(config-if-virtualppp)# encapsulation ppp
Okapi(config-if-virtualppp)# ppp authentication chap
Okapi(config-if-virtualppp)# ppp hostname client password client 
Okapi(config-if-virtualppp)# exit
Okapi(config)# username steve password hello

Okapi(config)# interface Virtual-PPP 0
Okapi(config-if-virtualppp)# ppp ipcp-accept-local 
Okapi(config-if-virtualppp)# ppp ipcp-accept-remote 
Okapi(config-if-virtualppp)# pseudowire 100.1.1.2 pw-class c2
Okapi(config-if-virtualppp)# no shutdown
Okapi(config-if-virtualppp)# exit

The IP address range to be assigned to l2tp clients as configured on l2tp server is 122.180.66.10:122.180.66.254. The server IP is 122.180.66.1. After we have done the above configurations on Okapi router, an l2tp tunnel is established between Okapi router and Router-B. Also, our router must have received an IP(eg 122.180.66.10) in the above range from l2tp server. The tunnel can be tested by executing show interface command on Okapi as well as pinging l2tp server ie 122.180.66.1.

After having l2tp tunnel in place, lets proceed with IPSec configuration. Start with defining an access list to permit any traffic to flow freely between the two LAN segments. 

Okapi(config)# access-list 101 permit all 172.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

Define isakmp policy as shown below: 

Okapi(config)# crypto isakmp policy 1
Okapi(config-isakmp)# encryption triple-des
Okapi(config-isakmp)# hash md5
Okapi(config-isakmp)# authentication pre-share

Configure pre-shared key that will be used for authentication. Note that the same key must be configured on the other end as well. eg Router-B in our case. 

Okapi(config)# crypto isakmp key 12345 address 122.180.66.1
Okapi(config)# crypto ipsec transform-set set1 esp-3des ah-md5-hmac
Okapi(cfg-crypt-trans)# mode tunnel
Okapi(cfg-crypt-trans)# exit

Then configure a crypto map to apply the above configured access list and transform set. 

Okapi(config)# crypto map map1 0 ipsec-isakmp
Okapi(config-crypto-map)# match address 101
Okapi(config-crypto-map)# set transform-set set1
Okapi(config-crypto-map)# set peer 122.180.66.1
Okapi(config-crypto-map)# exit

And finally apply this crypto map to our l2tp tunnel. 

Okapi(config)# interface Virtual-PPP 0
Okapi(config-if-virtualppp)# crypto map map1

At this point we have established a secured tunnel between two LANs.The same can be verified by pinging machine-2 from machine-1.