Cisco – Using a Cisco router as an L2TP client

ciscocisco-iosipsecvpn

I have a customer that for various reasons has a Cisco router sitting behind a NATed ADSL connection. They want to create a VPN to one of our points of presence and the only options we offer are site to site or L2TP dial in.

Is it possible to configure their Cisco (3925) to connect via L2TP to our PoP? The L2TP server is a pair of Fortigate 100Ds and the configuration allows iPads, laptops, etc to dial in no problem, protected by IPSEC.

I'm testing this in my office with a 1921, the few references I've found indicate using a pseudowire setup is necessary, but I'm having trouble with getting that up, and where IPSEC fits into it.

Best Answer

Sure, it's certainly possible. Basically, you'll need to setup a crypto map to catch and encrypt the L2TP traffic. The psuedowire\L2TP config can be attached to a Virtual-PPP interface. Here's a config snippet that should get you going. 

! Basic ISAKMP\IPSec configuration, tweak as needed. 
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 4000
!
crypto isakmp key *preshared key* address 1.2.3.4
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
 mode transport
!
! Crypto map that will catch our L2TP Traffic defined in the L2TP_TRAFFIC ACL.
!
crypto map L2TP_VPN 10 ipsec-isakmp
 set peer 1.2.3.4
 set transform-set ESP-AES256-SHA1
 match address L2TP_TRAFFIC
!
! Match the L2TP traffic.
!
ip access-list extended L2TP_TRAFFIC
 permit udp host *Outbound IP* eq 1701 host 1.2.3.4 eq 1701
!
! Apply the crypto map to the outbound\internet facing interface. 
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 crypto map L2TP_VPN
!
! Define the psuedowire class that will speak L2TP and the source interface. 
!
pseudowire-class L2TP_PW
 encapsulation l2tpv2
 ip local interface FastEthernet0/0
!
! Create Virtual-PPP interface to bind the psuedowire class to. 
!
interface Virtual-PPP1
 description L2TP Tunnel
 ip address negotiated
 ppp chap hostname *User Name*
 ppp chap password *Password*
 ppp ipcp address accept
 pseudowire 1.2.3.4 1 pw-class L2TP_PW

You'll also need to add in relevant NAT and\or routing for your scenario.

Related Topic