Configuring Layer 2 Tunneling
Protocol with IPsec
Another agreement for tunneling all Layer 2 cartage over accessible arrangement is Layer 2
Tunneling Agreement (L2TP). L2TP is a amalgam of Cisco’s Layer 2 Forwarding
Protocol (L2F) and PPTP. In this section, you will apprentice how to configure L2TP
with IPsec. L2TP/IPsec works as follows:The parties aboriginal authorize an IPsec
tunnel in carriage approach application IKE or chiral configuration, and again the traffic
www.syngress.com
Figure 7.15 Encryption and Authentication
384 Chapter 7 • Configuring Virtual Private Networking
between the networks is encapsulated in PPP packets and transmitted between
UDP ports 1701 on both the applicant and the server through the IPsec adit (see
Figure 7.16).Thus, agreement consists of two parts: IPsec agreement and
VPDN agreement (the closing is actual agnate to PPTP).
Overview
As apparent in Figure 7.16, L2TP abutment in the PIX is a bit added complicated by
its structure, but it is fabricated defended because it allows abounding IPsec carriage mode
authentication and encryption of transmitted packets. Since PIX software version
6.0, this accomplishing can accomplish with a Windows 2000 client.
Many appearance of the PIX L2TP server are agnate to the PPTP server implementation.
L2TP can be configured alone on one interface, and it uses PPP authentication
methods for applicant authentication.The PIX cannot serve as an L2TP client.
Dynamic Crypto Maps
One new affection that is acclimated in L2TP agreement is a activating crypto map. A
dynamic crypto map is a crypto map after all ambit configured. It is added
as allotment of the interface’s crypto map and is acclimated by the PIX to authorize IPsec connections
with aeon whose IP addresses are not accustomed in advance.A common
www.syngress.com
Figure 7.16 Layer 2 Tunneling Agreement Packet Structure
Modem Destination server
phone line
ISP admission server (NAS) Gateway (PPTP server)
VPN client
IP header
IPsec ESP
header
UDP
header
L2TP
header
PPP
header
PPP
payload
IPsec ESP
trailer
ESP auth
trailer
IP packet architecture with L2TP encapsulated payload
L2TP
IPsec
Internet
Configuring Virtual Private Networking • Chapter 7 385
example is the case of adaptable users; they do not acquire a agreed IP address
but usually acquire a new abode anniversary time they punch into their ISP.When the PIX
uses activating crypto maps, adaptable users acquire to accredit to the firewall aboriginal by
something (hostname, for example) during IKE exchange, and again their cartage is
processed beneath the rules authentic by the activating crypto map entry.
In adjustment to configure a activating crypto map entry, you charge to specify alone a
transform set. All added ambit can be accustomed from the added peer’s (or
mobile client, for example) proposals. Activating maps can be acclimated alone for
incoming admission and charge be the everyman priority.When the PIX decides to
use a specific activating map (meaning that it has performed a acknowledged IKE
exchange with the peer), it creates a acting crypto map admission and installs it
into its SPD.The admission is abounding in with the after-effects of IKE negotiations. Once
established, this acting admission is acclimated as normal.When all IPsec SAs associated
with this admission expire, the acting admission is deleted.
Configuration commands for the activating crypto maps are agnate to those
for changeless crypto map entries.The agreement commands are as follows:
crypto dynamic-map
crypto dynamic-map
crypto dynamic-map
{
crypto dynamic-map
group2]
crypto dynamic-map
lifetime {seconds
crypto dynamic-map
transform-set-name1 [transform-set-name2 [transform-set-name3
[transform-set-name4 [transform-set-name5 [transform-set-name6
[transform-set-name7 [transform-set-name8 [transform-setname9]]]]]]]]
Only the aftermost allotment of the command, the transform set specification, charge be
present in the agreement of a activating crypto map entry. It is additionally recommended
that an admission account be defined in the bout abode command to increase
security. For example, advertisement and multicast cartage rarely needs to be tunneled.
A configured activating crypto map is again assigned as an admission in a regular
crypto map. For example:
www.syngress.com
386 Chapter 7 • Configuring Virtual Private Networking
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
crypto ipsec transform-set myset2 ah-sha-hmac
crypto dynamic-map dynmap 10
crypto dynamic-map dynmap set transform-set myset2
crypto dynamic-map dynmap bout abode 101
crypto dynamic-map dynmap 20
crypto dynamic-map dynmap set transform-set myset1
crypto dynamic-map dynmap bout abode 102
crypto map apache 10 ipsec-isakmp
crypto map apache 10 set associate 23.34.45.56
crypto map apache 10 set transform-set myset1 myset2
crypto map apache 10 bout abode 103
crypto map apache 20 ipsec-isakmp activating dynmap
access-list 103 admittance ip 192.168.3.0 255.255.255.0 any
access-list 101 admittance ip host 192.168.2.33 any
access-list 102 admittance ip host 192.168.2.34 any
Here, a approved map, gorilla, has a activating map admission alleged dynmap with
priority 20.The activating map itself has two entries with priorities 10 and 20.
This agency that the PIX will aboriginal appraise the changeless admission with antecedence 10 (the
one with associate 23.34.45.65), and if this admission does not apply, it will try both
entries from the activating map—the one with antecedence 10 first, again the entry
with antecedence 20. After an IPsec SA is established, alone the cartage defined by the
corresponding admission account will be tunneled.
Configuration
Configuring L2TP on the PIX for a Windows 2000 applicant consists of three highlevel
steps:
1. Configure IKE.
2. Configure IPsec in carriage mode.
3. Configure VPDN dial-in settings for L2TP.
IKE is configured as before. Since the centralized Windows 200 VPN applicant does
not abutment pre-shared keys, it has to be configured for CA support. Once the
normal agreement action for configuring IPsec with CA abutment has been
completed, we can configure PIX1 to acquiesce L2TP VPN admission from mobile
Windows 2000 users. In our example, they will be accustomed admission to an internal
www.syngress.com
Configuring Virtual Private Networking • Chapter 7 387
host 192.168.2.33. IKE affidavit will be done application VeriSign certificates,
and user affidavit will be handled by a RADIUS server on the internal
network. First, we charge to acquiesce IPsec and L2TP cartage to be absolved from
conduits.This is done application the afterward commands:
PIX1(config)# sysopt affiliation admittance ipsec
PIX1(config)# sysopt affiliation admittance l2tp
CA abutment is configured the aforementioned as before:
PIX1(config)# hostname PIX1
PIX1(config)# domain-name securecorp.com
PIX1(config)# ca accomplish rsa key 1024
PIX1(config)# ca character verisign 205.139.94.230
PIX1(config)# ca configure verisign ca 1 20 crloptional
PIX1(config)# ca accredit verisign
PIX1(config)# ca acquire verisign midnightinmoscow
PIX1(config)# ca save all
PIX1(config)# abode memory
IKE is configured the aforementioned as before:
PIX1(config)# isakmp action 10 affidavit rsa-sig
PIX1(config)# isakmp action 10 encryption 3des
PIX1(config)# isakmp action 10 assortment md5
PIX1(config)# isakmp action 10 accumulation 2
PIX1(config)# isakmp action 10 lifetime 2400
PIX1(config)# isakmp character hostname
PIX1(config)# isakmp accredit outside
NOTE
It is important that the IKE and IPsec SA lifetimes on the PIX bout the
corresponding settings on the Windows computer. The defaults should
work; IKE SA lifetime is 3600 sec and IPsec SA lifetime is 86400 sec on
Windows, but if alter crypto isakmp or alter crypto ipsec indicate
that agreement bootless but the transform sets are correct, consistently check
the lifetime settings on both the PIX and the Windows client. Windows
settings can be begin beneath the IP aegis behavior snap-in of the
Microsoft Management Console. See Microsoft knowledgebase article
Q259335 for details.
www.syngress.com
388 Chapter 7 • Configuring Virtual Private Networking
We should abide the IPsec agreement by defining the crypto admission list
and configuring NAT bypass:
PIX1(config)# access-list 99 admittance ip 192.168.2.0 255.255.255.0 any
IPsec cartage has to be absolved from the NAT, as it was before:
PIX1(config)# nat (inside) 0 access-list 99
The abutting footfall is to configure the transform set.The alone aberration from
generic IPsec actuality is that we charge to specify that the IPsec approach is transport:
PIX1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac
PIX1(config)# crypto ipsec transform-set myset approach transport
We actualize a simple activating crypto map to action adaptable audience with
unspecified IP addresses:
PIX1(config)# crypto dynamic-map mobileclients 10 set transform-set myset
PIX1(config)# crypto dynamic-map mobileclients 10 bout abode 99
We configure and administer the approved crypto map, which includes this dynamic
map as an entry:
PIX1(config)# crypto map ally 20 ipsec-isakmp activating mobileclients
PIX1(config)# crypto map ally interface outside
IKE and IPsec agreement is now complete. Abutting we charge to configure the
VPDN settings. Almost all the commands are identical to PPTP:
vpdn accumulation
vpdn accumulation
vpdn accumulation
name>
vpdn accumulation
vpdn accumulation
vpdn accumulation
vpdn accumulation
vpdn accumulation
vpdn accumulation
The aboriginal command turns on processing of L2TP requests.The additional can be
used to configure an L2TP keep-alive timeout, which is 60 abnormal by default
and can alter from 10 to 300 seconds.The added commands are the aforementioned as
www.syngress.com
Configuring Virtual Private Networking • Chapter 7 389
PPTP.We will use the aftermost archetype from the PPTP area (with an external
AAA server) and change the agreement to L2TP.The consistent VPDN configuration
is as follows:
PIX1(config)# ip bounded basin mypool 192.168.5.1-192.168.5.10
PIX1(config)# aaa-server myserver (inside) host 192.168.2.99 key
mysecretkey
PIX1(config)# aaa-server myserver agreement radius
PIX1(config)# vpdn accumulation 1 acquire dialin l2tp
PIX1(config)# vpdn accumulation 1 ppp affidavit mschap
PIX1(config)# vpdn accumulation 1 applicant affidavit aaa myserver
PIX1(config)# vpdn accumulation 1 applicant agreement abode bounded mypool
PIX1(config)# vpdn accumulation 1 applicant agreement dns 192.168.2.33
PIX1(config)# vpdn accumulation 1 applicant agreement wins 192.168.2.34
PIX1(config)# vpdn accredit outside