Combining IPsec with L2TPv3
for Defended Pseudowire
As declared in Chapter 18, “IEEE 802.1AE,” IEEE 802.1AE protects all Layer 2 traffic
with encryption and authentication. Not all absolute switches abutment IEEE 802.1AE;
therefore, in the abbreviate term, an addition band-aid ability be attractive. This band-aid relies
on IPsec for the aegis features. Although IPsec is acceptable and acceptable to assure IP
traffic, it sometimes requires you to additionally assure all Layer 2 advice amid two
sites, such as spanning a LAN over a arcane tunnel. IPsec abandoned cannot accomplish this
requirement because it is alone applicative to IP traffic.
This addendum describes how two Cisco IOS appearance (IPsec and Layer 2 Adit Protocol
version 3 [L2TPv3] acclimated in xconnect mode) can be accumulated to aftermath a simple and
elegant solution.
NOTE This solution’s aegis backdrop accommodate acquaintance and candor of all Layer 2 traffic
transported over the accessible arrangement and cartage isolation. (It is absurd to inject LAN
traffic from the accessible network.) A abnegation of account (DoS) advance from the accessible network
can still be launched, and this disrupts LAN cartage by causing packet drops; however, it
won’t bear aural the LAN network.
Architecture
The architecture, as apparent in Figure A-1, relies on L2TPv3, which includes the following:
• Encapsulation of any Ethernet anatomy in an IP packet (protocol 115)
• Ascendancy approach to accommodate all L2TPv3 ambit (might accommodate passwords,
cookies, and so on)
324 Appendix: Combining IPsec with L2TPv3 for Defended Pseudowire
Figure A-1 Global Architectonics for Accumulated L2TPv3 and IPsec
In Cisco IOS routers, L2TPv3 can be acclimated in xconnect approach (cross connect) amid one
interface of the bounded router and addition one on a alien router. All Layer 2 frames are
simply forwarded from one bounded interface to the alien interface. This agency that Cisco
IOS never processes those Layer 2 frames: neither bridging nor routing. At the Internet
Engineering Task Force (IETF), it is alleged a pseudowire.
NOTE Instead of application L2TPv3, added Layer 2 tunneling mechanisms can be used; for example,
in the aboriginal 1990s, data-link switching (DLSw) mainly bridged IBM frames over an IP
network. DLSw is not a bald carriage of Layer 2 frames, but it is absolutely bridging in the
sense of IEEE 802.1D. (For example, frames are transported alone back the destination is
unknown or multicast, or the destination is accepted to be on the added accessory of the tunnel.)
Beside the absolute DLSw configuration, the architectonics is unchanged.
In carriage mode, IPsec is acclimated because the cartage to be adequate (the L2TPv3 packets) is
originated by the basic clandestine arrangement (VPN) routers. This is additionally hardly better
regarding the packet size.
Because IPsec is already acclimated to add authentication, integrity, and confidentiality, no
L2TPv3 aegis affection is used.
All frames are
forwarded from
LAN interface
through the
L2TPv3 tunnel.
IPsec protects
all L2TPv3
packets.
Same IP subnet
on anniversary accessory of
the L2TPv3
tunnel.
L2TPv3 IPsec
.3 .36
10.48.99.0/24
10.48.99.0/24
192.168.0.0/24
192.168.0.0/24
Configuration 325
Comparison with IEEE 802.1AE
Several differences abide amid this aggregate of L2TPv3 and IPsec and the IEEE
802.1AE:
• 802.1AE encrypts and decrypts hop by hop; L2TPv3 with IPsec encrypts end to end.
• 802.1AE allows for arrangement casework colocated on a switch, such as firewalls and
intrusion apprehension systems (IDS), to assignment on decrypted packets, while IPsec
completely prevents the use of firewall and IDS on the tunnel’s path.
• 802.1AE needs to be deployed on all switches on the path; L2TPv3 with IPsec
requires alone L2TPv3 and IPsec on the two adit endpoints.
Aside from their differences, a user ability acquisition both solutions to be similar: Abstracts aural a
Layer 2 area is encrypted back traversing a nontrusted domain.
Caveats
Look out for several caveats:
• Cisco IOS routers artlessly carriage all accustomed Ethernet frames from one accessory to the
other. There is no spanning timberline and no intelligence in the system. This ability advance to
the carriage of frames that the alien armpit won’t use.
• IEEE 802.1D arch agreement abstracts assemblage (BPDU), Cisco Discovery Agreement (CDP),
and added accessory frames are forwarded.
• The cartography is carefully point to point. An interface cannot be aggregate amid two
xconnect pseudowires.
• This requires 12.3(2)T at a minimum.
• This addendum describes a agreement area neither IPsec nor L2TPv3 are
hardware accelerated. This agency that the all-embracing advantageous bandwidth is apparently in the
range of 100 Mbps (platform dependent). The band-aid can be continued to use
hardware-accelerated IPsec.
Configuration
The agreement of Figure A-1’s left-side router is declared by abstracted components:
pseudowires, xconnect, IPsec, and Internet Key Exchange (IKE).
326 Appendix: Combining IPsec with L2TPv3 for Defended Pseudowire
Pseudowires
A chic called XCONNECT is authentic for accepted backdrop amid all xconnect of the
local router. It basically specifies the following:
• Use of L2TPv3
• Sequencing (and reordering) of all sent/received Ethernet frames, which is required
for some protocols area the apprehension is that Ethernet frames are accustomed in the
order they are sent
• IP abode to be acclimated as antecedent back sending L2TPv3 packets, which is the address
that the IPsec after protects
The pseudowire is again configured as
IOS(config)# pseudowire-class XCONNECT
IOS(config-pw)# encapsulation l2tpv3
IOS(config-pw)# sequencing both
IOS(config-pw)# ip bounded interface FastEthernet0/0
Xconnect
The agreement of the xconnect is easy:
• No IP abode for the interface because the router receives no frames from this
interface; all frames are artlessly transmitted to the added side.
• Same acumen for CDP applies. (Actually, the alien accessories affiliated on each
end of the xconnect—typically switches—will be CDP neighbors.)
• Specify the xconnect associate 192.168.0.36. (The IPsec after protects this address.)
• Specify the pseudowire chic and the agreement to be used.
The xconnect is again configured as
IOS(config)# interface FastEthernet0/1
IOS(config-if)# no ip address
IOS(config-if)# no cdp enable
IOS(config-if)# xconnect 192.168.0.36 1234 encapsulation l2tpv3 pw-class XCONNECT
IPsec Crypto Maps
As usual, IPsec crypto maps
• Define the cartage to be adequate with an IPsec selector. (In Cisco IOS, an extended
access ascendancy account (ACL) protects the L2TPv3 agreement alive on IP 115.)
• Define the IPsec transform (the cryptographic algorithms).
• Define the alien IPsec peer.
• Apply all the aloft on the departure interface.
Configuration 327
The agreement is then
IOS(config)# crypto ipsec transform-set 3DES esp-3des
IOS(cfg-crypto-tran)# approach transport
IOS(config)# crypto map VPN 10 ipsec-isakmp
IOS(config-crypto-m)# set associate 192.168.0.36
IOS(config-crypto-m)# set transform-set 3DES
IOS(config-crypto-m)# bout abode SELECTOR
IOS(config)# interface FastEthernet0/0
IOS(config-if)# ip abode 192.168.0.3 255.255.255.0
IOS(config-if)# crypto map VPN
IOS(config)# ip access-list continued SELECTOR
IOS(config-ext-nacl)# admittance 115 host 192.168.0.3 host 192.168.0.36
IKE Authentication
You can use any IKE authentication. For simplicity, the atomic defended IKE preshared key has
been called actuality for all nodes:
IOS(config)# crypto isakmp action 1
IOS(config-isakmp)# encr 3des
IOS(config-isakmp)# affidavit pre-share
IOS(config-isakmp)# accumulation 2
IOS(config)# crypto isakmp key BIG_SECRET abode 0.0.0.0 0.0.0.0
Debugging Information
In best action networks, L2TPv3 and xconnect are unusual. That actuality said, actuality is
some debugging advice for a alive configuration. The advice is bound to
L2TP because all added debugging advice is accessible for IPsec and IKE.
L2TP Tunnels
Example A-1 displays some debugging advice for L2TP’s tunnels. The first
command, appearance l2tun affair circuit, displays all alive tunnels with the peer. The second
command, appearance l2tun affair packets, prints some counters about the packets beatific and
received central this L2TP’s tunnels.
Example A-1 Debugging Advice for L2TPv3 and IPsec Combination
IOS# appearance l2tun affair circuit
%No alive L2F tunnels
L2TP Affair Advice Total tunnels 1 sessions 1
LocID TunID Peer-address Type Stat Username, Intf/
Vcid, Circuit
18183 63609 192.168.0.36 ETH UP 1234, Fa0/1
continues
328 Appendix: Combining IPsec with L2TPv3 for Defended Pseudowire
Full Configuration
Example A-2 shows the complete agreement for Figure A-1’s larboard router. The right
router’s agreement is absolutely balanced as the one with a L2TPv3 tunnel. The roles of
both routers are equivalent.
%No alive PPTP tunnels
IOS# appearance l2tun affair packets
%No alive L2F tunnels
L2TP Affair Advice Total tunnels 1 sessions 1
LocID RemID TunID Pkts-In Pkts-Out Bytes-In Bytes-Out
18183 59570 63609 8128 170381 981126 20957232
%No alive PPTP tunnels
Example A-2 Full Agreement for L2TPv3 and IPsec Combination
version 12.3
no account pad
no account password-encryption
!
hostname 7204
!
boot-start-marker
boot arrangement disk0:c7200-ik9s-mz.123-8.T.bin
boot-end-marker
!
!
clock timezone MET 1
clock summer-time MEST alternating aftermost Sun Mar 2:00 aftermost Sun Oct 3:00
no aaa new-model
ip subnet-zero
!
!
ip cef
no ip area lookup
!
pseudowire-class XCONNECT
encapsulation l2tpv3
sequencing both
ip bounded interface FastEthernet0/0
!
crypto isakmp action 1
encr 3des
authentication pre-share
group 2
crypto isakmp key SECRET abode 0.0.0.0 0.0.0.0
Example A-1 Debugging Advice for L2TPv3 and IPsec Aggregate (Continued)
Configuration 329
!
crypto ipsec transform-set 3DES esp-3des
mode transport
!
crypto map VPN 10 ipsec-isakmp
set associate 192.168.0.36
set transform-set 3DES
match abode SELECTOR
!
interface FastEthernet0/0
ip abode 192.168.0.3 255.255.255.0
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/1
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
xconnect 192.168.0.36 1234 encapsulation l2tpv3 pw-class XCONNECT
!
ip classless
no ip http server
no ip http secure-server
!
ip access-list continued SELECTOR
permit 115 host 192.168.0.3 host 192.168.0.36
!
control-plane
!
!
line con 0
transport adopted all
transport achievement all
stopbits 1
line aux 0
transport adopted all
transport achievement all
stopbits 1
line vty 0 4
login
transport adopted all
transport ascribe all
transport achievement all
!
end