Cisco – L2TP over IPSEC with a LAN to LAN link

ciscoipsecl2tp

I'm looking to add security on a LAN to LAN link that we have in my network.
This LAN to LAN link is used to extend vlans over 2 sites (local & remote).

For now, the diagram is this one :

I have to add the security features with 2 Cisco 891 routers (this is not a choice but a constraint).

I am looking to change the network architecture following this diagram :

In fact, the idea here is to add a 891 router between my L3 switch and the ISP's equipment, and to do this on both sites of course.

Then, I will have to create L3 connectivity between my 2 routers using the lan to lan link.
This way I can encrypt the packets using IPSEC.

But to be as transparent as possible for the network, I will have to encapsulate the L2 datagrams coming from my network into L2TP packets, which will then be encrypted via IPSEC and sent over the LAN to LAN link to the remote router.

Am I correct in these assumptions ? Is this something that is technically possible ?

I don't really know how I can interconnect my 891 router with the ISP's equipment, for starters.

Thanks for the help
Jeremy

Best Answer

Well, You can extend the LANs with L2TPv3 and protect the setup with IPsec.

Here's example configuration: https://www.softether.org/index.php?title=4-docs/2-howto/L2TP//IPsec_Setup_Guide_for_SoftEther_VPN_Server/Cisco_IOS_L2TPv3//IPsec_Edge-VPN_Router_Setup

And here's another one, modern, using FlexVPN - unfortunately, depending on your IOS version, you may not be able to use it: http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116207-configure-l2tpv3-00.html

I did some testing for that kind of setups, bear in mind transporting all the L2 traffic over IP will cost you bandwidth. If you need any help in setup/troubleshooting, let me know.

As for more obvious problem - connecting 891's to ISPs - just point default network to them as gateway. From this setup the routing itself is typical in terms of configuration.

Related Solutions

Ports in IPSec tunnel

IPSEC has no ports. In IPv4 IPSEC, or to be more precise AH (authentication header) and ESP (encapsulation security payload), are two IP protocols just like TCP and UDP. In IPv6 IPSEC is part of the protocol are there are two extension headers one for authentication and one for encryption.

The only thing that has something to do with ports is IKE (Internet Key Exchange) protocol which uses UDP 500 or 4500.

Cisco – Deploying an IPSEC secure-channel – isakmp SA empty

If I understand your question correctly - you are trying to deploy an IPSec Site-to-Site tunnel between the two routers.

In this case there are several problems in your configuration as far as I can tell:

First of all - you need to establish a GRE (Unencrypted) tunnel between the two routers like so:

Router A:

    interface Tunnel100
     tunnel source 172.16.1.1
     tunnel destination 172.17.1.1
     ip address [inner ip-address] [inner subnet-mask]

Router B:

    interface Tunnel100
     tunnel source 172.17.1.1
     tunnel destination 172.16.1.1
     ip address [inner ip-address] [inner subnet-mask]

Now, in order for this to work there needs to be end-to-end connectivity between 172.16.1.1 and 172.17.1.1. In your config this is achieved with the ip route 0.0.0.0 0.0.0.0 172.[...] line but I would suggest strongly against that, as you will probably want to route all of your traffic through the tunnel later.

Change it to ip route 172.16.0.0 255.254.0.0 172.[...] instead (at least) - so only traffic in the 172.16/15 subnet is routed through the interface.

Once Tunnel100 is up - the tunnel ends (inner ip addresses) should be pingable, e.g if the inner ip-addresses are (A) - 192.168.0.1 and (B) - 192.168.0.2 you should be able to ping 192.168.0.2 from Router A:

ping 192.168.0.2 source 192.168.0.1
[...]
!!!!!

If this is working you would probably want to add a default route through the tunnel - as mentioned above:

ip route 0.0.0.0 0.0.0.0 192.168.0.[1 or 2]

Now, the next thing that should be done is encryption or "tunnel protection":

interface Tunnel100
 tunnel protection ipsec profile [isakmp-profile]

Check out this guide for a detailed explanation on isakmp profiles. It is also possible to use default

Also, you might be interested in this guide for deploying an IPSec vpn using ikev2 signaling (rather than isakmp) - the main difference being the (lack of) need to configure crypto-maps.

Cisco are slowly deprecating isakmp in a venture to replace it by ikev2, so it might be a good practice to deploy that configuration instead.

Hope this helped.

Regards,

Iliya

Best Answer

Related Solutions

Ports in IPSec tunnel

Cisco – Deploying an IPSEC secure-channel – isakmp SA empty

Related Topic