Thursday, 27 August 2009

L2TPv3 over IPSec with VLANS-How to

This is the practical of this lab: here

The idea of this lab is to bridge the local lan across the internet or another network you do not control to another lan, matching lan.

In this example we have 3 sites. Site 1 (which is the head office) with a server for each site (server 2 and server 3). L2TPv3 works by taking the frame recieved on its lan interface wraps it up int L2TP goodness and off it goes.

Again what makes this cool is that the workstations (PC2 and PC3) have no idea that the Servers are at another site.

Ok now your up to speed...:


First each router has a default route to R0
R2:

ip route 0.0.0.0 0.0.0.0 10.0.20.10

R3:

ip route 0.0.0.0 0.0.0.0 10.0.30.10


R1:

ip route 0.0.0.0 0.0.0.0 10.0.10.10



Ok now to the Layer 2 setup, as GNS can not do Switches (well properly anyway) you have to use a Cisco 3725 with a 16 port Ethernet Switch card.

So firstly the trunks on R1, R2 and R3

R1

!
interface FastEthernet1/1.200
encapsulation dot1Q 200
!
interface FastEthernet1/1.300
encapsulation dot1Q 300

!

R2

!
interface FastEthernet1/1.200
encapsulation dot1Q 200
!

R3

!
interface FastEthernet1/1.300
encapsulation dot1Q 300
!


Then setting up the switch:
Switch1

interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport access vlan 200
!
interface FastEthernet1/3
switchport access vlan 300
!


Switch2

!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport access vlan 200
!


Switch3

!
interface FastEthernet1/1
switchport mode trunk
!
interface FastEthernet1/2
switchport access vlan 300
!



I'll leave the setting up of the IP addresses to you :)

Ok now to the fun stuff the L2TPv3 setup:

R1

l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
!
pseudowire-class VLANS
encapsulation l2tpv3
protocol none
ip local interface FastEthernet1/0
!


R2

l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
!
pseudowire-class VLAN200
encapsulation l2tpv3
protocol none
ip local interface FastEthernet1/0
!


R3

l2tp-class l2tp-defaults
retransmit initial retries 30
cookie size 8
!
pseudowire-class VLAN300
encapsulation l2tpv3
protocol none
ip local interface FastEthernet1/0
!




Now part two of the setup, which is the actual pseudeowire!
R1

!
interface FastEthernet1/1.200
encapsulation dot1Q 200
! The vc 200 here is not used...call it anything you like!
xconnect 10.0.20.2 200 encapsulation l2tpv3 manual pw-class VLANS
! This id is important 102 and 202 must be swaped on the other end
l2tp id 102 202
! "remote" is data sent
! "local" is data expected to be recieved.
! Therefore 221200 is Router 2 2 Router 1 VLAN 200 (R22R1VLAN200)
! Just makes it easier for you, but you can do any number as long as
! it is flipped
l2tp cookie local 4 221200
l2tp cookie remote 4 122200
l2tp hello l2tp-defaults
!
interface FastEthernet1/1.300
encapsulation dot1Q 300
xconnect 10.0.30.3 300 encapsulation l2tpv3 manual pw-class VLANS
l2tp id 103 303
l2tp cookie local 4 321300
l2tp cookie remote 4 123300
l2tp hello l2tp-default
s
!


Then the spokes:
R2

!
interface FastEthernet1/1.200
encapsulation dot1Q 200
ip virtual-reassembly
xconnect 10.0.10.1 200 encapsulation l2tpv3 manual pw-class VLAN200
l2tp id 202 102
l2tp cookie local 4 122200
l2tp cookie remote 4 221200
l2tp hello l2tp-defaults
!


R3

interface FastEthernet1/1.300
encapsulation dot1Q 300
ip virtual-reassembly
xconnect 10.0.10.1 300 encapsulation l2tpv3 manual pw-class VLAN300
l2tp id 303 103
l2tp cookie local 4 123300
l2tp cookie remote 4 321300
l2tp hello l2tp-defaults
!


You can now test that it works, however at the moment it is all unencrypted!

Therefore encryption;
R1

!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R1-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R12R2R3 100 ipsec-isakmp
set peer 10.0.30.3
set transform-set R1-TRANSFORM
match address 110
crypto map R12R2R3 200 ipsec-isakmp
set peer 10.0.20.2
set transform-set R1-TRANSFORM
match address 100
!
access-list 100 permit ip host 10.0.10.1 host 10.0.20.2
access-list 110 permit ip host 10.0.10.1 host 10.0.30.3
!
!
interface FastEthernet1/0
ip address 10.0.10.1 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
crypto map R12R2R3
!


R2

!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R2-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R22R1 100 ipsec-isakmp
set peer 10.0.10.1
set transform-set R2-TRANSFORM
match address 100
!
!
access-list 100 permit ip host 10.0.20.2 host 10.0.10.1
!
!
interface FastEthernet1/0
ip address 10.0.20.2 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
crypto map R22R1
!


R3

!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key letmein address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set R3-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R32R1 100 ipsec-isakmp
set peer 10.0.10.1
set transform-set R3-TRANSFORM
match address 100
!
access-list 100 permit ip host 10.0.30.3 host 10.0.10.1
!
!
interface FastEthernet1/0
ip address 10.0.30.3 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
crypto map R32R1
!



Bit of a sledgehammer approach to encryption as everything will be wrapped up in ESP, however if you wish to do this for just L2TP then an ACL for UDP 1701 will do the job nicely.

Done!

6 comments:

Iordanidis said...

Hi Roggy
You are using F1/0 for applying the crypto map and also as local interface in the pseudowire class, i don't believe this can work 100% correctly in terms of what process would be applied first since you can not prioritize the order of operations. The target scenario would be L2TP interesting traffic to fire up the IPsec then L2TPv3 traffic is encapsulated with IPsec {|ESP||L2TPv3||DATA|}. It's better to use a separate interface for L2TP , eg configure a loopback interface on R1 R2 R3 and use it as local interface in the pseudowire class. For classification don't use udp port 1701 but protocol 115 (L2TP) ; access-list 100 permit 115 R1 Lo0 -> R2 Lo0 and apply ACL in CRYPTO map for match.I m running some tests with dynamips and seems to be working fine with this approach (using also NAT as i m interested in real deployment scenario):

CE1<-->PE1<-->ASBR1<--->INTERNET<--->ASBR2<-->PE2<-->CE2

BR
Orestis46

Roggy said...

Ooo interesting approach. Ill have play and get back to you :)

Czarek said...

Hi Roggy,
Great tutorial.

But I am looking for info, if is it possible to configure LAN-to-LAN L2TP tunnel between Cisco router and ASA, or maybe between two ASAs?

Best regards,

Roggy said...

for router->asa or asa -> asa use ipsec tunnels.

William Duhe said...

What platform are you running? I cannot execute xconnect commands on a subinterface using a 2811 router. Also, after I have typed the xconnect command on the f0/1 interface, I cannot execute encapsulation dot1q XX commands either.

JuanCarlos said...

Me ha sido de mucha ayuda este tutorial, pues un cliente me ha pedido migrar sus enlaces de L3MPLS a L2 MPLS-encriptado, como nuestra infraestructura no soporta L2 MPLS puro, se ha levantado L2tpv3 encriptado, he usado int loop para el pseudo, he hecho un laboratorio, ahora debo implementarlo en el cliente, gracias por estas informacion.

Juan Carlos