Configuring Layer 2 Tunneling Protocol with IPsec


Configuring Layer 2 Tunneling

Protocol with IPsec

Another agreement for tunneling all Layer 2 cartage over accessible arrangement is Layer 2

Tunneling Agreement (L2TP). L2TP is a amalgam of Cisco’s Layer 2 Forwarding

Protocol (L2F) and PPTP. In this section, you will apprentice how to configure L2TP

with IPsec. L2TP/IPsec works as follows:The parties aboriginal authorize an IPsec

tunnel in carriage approach application IKE or chiral configuration, and again the traffic

www.syngress.com

Figure 7.15 Encryption and Authentication

384 Chapter 7 • Configuring Virtual Private Networking

between the networks is encapsulated in PPP packets and transmitted between

UDP ports 1701 on both the applicant and the server through the IPsec adit (see

Figure 7.16).Thus, agreement consists of two parts: IPsec agreement and

VPDN agreement (the closing is actual agnate to PPTP).

Overview

As apparent in Figure 7.16, L2TP abutment in the PIX is a bit added complicated by

its structure, but it is fabricated defended because it allows abounding IPsec carriage mode

authentication and encryption of transmitted packets. Since PIX software version

6.0, this accomplishing can accomplish with a Windows 2000 client.

Many appearance of the PIX L2TP server are agnate to the PPTP server implementation.

L2TP can be configured alone on one interface, and it uses PPP authentication

methods for applicant authentication.The PIX cannot serve as an L2TP client.

Dynamic Crypto Maps

One new affection that is acclimated in L2TP agreement is a activating crypto map. A

dynamic crypto map is a crypto map after all ambit configured. It is added

as allotment of the interface’s crypto map and is acclimated by the PIX to authorize IPsec connections

with aeon whose IP addresses are not accustomed in advance.A common

www.syngress.com

Figure 7.16 Layer 2 Tunneling Agreement Packet Structure

Modem Destination server

phone line

ISP admission server (NAS) Gateway (PPTP server)

VPN client

IP header

IPsec ESP

header

UDP

header

L2TP

header

PPP

header

PPP

payload

IPsec ESP

trailer

ESP auth

trailer

IP packet architecture with L2TP encapsulated payload

L2TP

IPsec

Internet

Configuring Virtual Private Networking • Chapter 7 385

example is the case of adaptable users; they do not acquire a agreed IP address

but usually acquire a new abode anniversary time they punch into their ISP.When the PIX

uses activating crypto maps, adaptable users acquire to accredit to the firewall aboriginal by

something (hostname, for example) during IKE exchange, and again their cartage is

processed beneath the rules authentic by the activating crypto map entry.

In adjustment to configure a activating crypto map entry, you charge to specify alone a

transform set. All added ambit can be accustomed from the added peer’s (or

mobile client, for example) proposals. Activating maps can be acclimated alone for

incoming admission and charge be the everyman priority.When the PIX decides to

use a specific activating map (meaning that it has performed a acknowledged IKE

exchange with the peer), it creates a acting crypto map admission and installs it

into its SPD.The admission is abounding in with the after-effects of IKE negotiations. Once

established, this acting admission is acclimated as normal.When all IPsec SAs associated

with this admission expire, the acting admission is deleted.

Configuration commands for the activating crypto maps are agnate to those

for changeless crypto map entries.The agreement commands are as follows:

crypto dynamic-map

crypto dynamic-map bout address

crypto dynamic-map set peer

{ | }

crypto dynamic-map set pfs [group1 |

group2]

crypto dynamic-map set securityassociation

lifetime {seconds | kilobytes }

crypto dynamic-map set transformset

transform-set-name1 [transform-set-name2 [transform-set-name3

[transform-set-name4 [transform-set-name5 [transform-set-name6

[transform-set-name7 [transform-set-name8 [transform-setname9]]]]]]]]

Only the aftermost allotment of the command, the transform set specification, charge be

present in the agreement of a activating crypto map entry. It is additionally recommended

that an admission account be defined in the bout abode command to increase

security. For example, advertisement and multicast cartage rarely needs to be tunneled.

A configured activating crypto map is again assigned as an admission in a regular

crypto map. For example:

www.syngress.com

386 Chapter 7 • Configuring Virtual Private Networking

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

crypto ipsec transform-set myset2 ah-sha-hmac

crypto dynamic-map dynmap 10

crypto dynamic-map dynmap set transform-set myset2

crypto dynamic-map dynmap bout abode 101

crypto dynamic-map dynmap 20

crypto dynamic-map dynmap set transform-set myset1

crypto dynamic-map dynmap bout abode 102

crypto map apache 10 ipsec-isakmp

crypto map apache 10 set associate 23.34.45.56

crypto map apache 10 set transform-set myset1 myset2

crypto map apache 10 bout abode 103

crypto map apache 20 ipsec-isakmp activating dynmap

access-list 103 admittance ip 192.168.3.0 255.255.255.0 any

access-list 101 admittance ip host 192.168.2.33 any

access-list 102 admittance ip host 192.168.2.34 any

Here, a approved map, gorilla, has a activating map admission alleged dynmap with

priority 20.The activating map itself has two entries with priorities 10 and 20.

This agency that the PIX will aboriginal appraise the changeless admission with antecedence 10 (the

one with associate 23.34.45.65), and if this admission does not apply, it will try both

entries from the activating map—the one with antecedence 10 first, again the entry

with antecedence 20. After an IPsec SA is established, alone the cartage defined by the

corresponding admission account will be tunneled.

Configuration

Configuring L2TP on the PIX for a Windows 2000 applicant consists of three highlevel

steps:

1. Configure IKE.

2. Configure IPsec in carriage mode.

3. Configure VPDN dial-in settings for L2TP.

IKE is configured as before. Since the centralized Windows 200 VPN applicant does

not abutment pre-shared keys, it has to be configured for CA support. Once the

normal agreement action for configuring IPsec with CA abutment has been

completed, we can configure PIX1 to acquiesce L2TP VPN admission from mobile

Windows 2000 users. In our example, they will be accustomed admission to an internal

www.syngress.com

Configuring Virtual Private Networking • Chapter 7 387

host 192.168.2.33. IKE affidavit will be done application VeriSign certificates,

and user affidavit will be handled by a RADIUS server on the internal

network. First, we charge to acquiesce IPsec and L2TP cartage to be absolved from

conduits.This is done application the afterward commands:

PIX1(config)# sysopt affiliation admittance ipsec

PIX1(config)# sysopt affiliation admittance l2tp

CA abutment is configured the aforementioned as before:

PIX1(config)# hostname PIX1

PIX1(config)# domain-name securecorp.com

PIX1(config)# ca accomplish rsa key 1024

PIX1(config)# ca character verisign 205.139.94.230

PIX1(config)# ca configure verisign ca 1 20 crloptional

PIX1(config)# ca accredit verisign

PIX1(config)# ca acquire verisign midnightinmoscow

PIX1(config)# ca save all

PIX1(config)# abode memory

IKE is configured the aforementioned as before:

PIX1(config)# isakmp action 10 affidavit rsa-sig

PIX1(config)# isakmp action 10 encryption 3des

PIX1(config)# isakmp action 10 assortment md5

PIX1(config)# isakmp action 10 accumulation 2

PIX1(config)# isakmp action 10 lifetime 2400

PIX1(config)# isakmp character hostname

PIX1(config)# isakmp accredit outside

NOTE

It is important that the IKE and IPsec SA lifetimes on the PIX bout the

corresponding settings on the Windows computer. The defaults should

work; IKE SA lifetime is 3600 sec and IPsec SA lifetime is 86400 sec on

Windows, but if alter crypto isakmp or alter crypto ipsec indicate

that agreement bootless but the transform sets are correct, consistently check

the lifetime settings on both the PIX and the Windows client. Windows

settings can be begin beneath the IP aegis behavior snap-in of the

Microsoft Management Console. See Microsoft knowledgebase article

Q259335 for details.

www.syngress.com

388 Chapter 7 • Configuring Virtual Private Networking

We should abide the IPsec agreement by defining the crypto admission list

and configuring NAT bypass:

PIX1(config)# access-list 99 admittance ip 192.168.2.0 255.255.255.0 any

IPsec cartage has to be absolved from the NAT, as it was before:

PIX1(config)# nat (inside) 0 access-list 99

The abutting footfall is to configure the transform set.The alone aberration from

generic IPsec actuality is that we charge to specify that the IPsec approach is transport:

PIX1(config)# crypto ipsec transform-set myset esp-des esp-md5-hmac

PIX1(config)# crypto ipsec transform-set myset approach transport

We actualize a simple activating crypto map to action adaptable audience with

unspecified IP addresses:

PIX1(config)# crypto dynamic-map mobileclients 10 set transform-set myset

PIX1(config)# crypto dynamic-map mobileclients 10 bout abode 99

We configure and administer the approved crypto map, which includes this dynamic

map as an entry:

PIX1(config)# crypto map ally 20 ipsec-isakmp activating mobileclients

PIX1(config)# crypto map ally interface outside

IKE and IPsec agreement is now complete. Abutting we charge to configure the

VPDN settings. Almost all the commands are identical to PPTP:

vpdn accumulation acquire dialin l2tp

vpdn accumulation l2tp adit accost

vpdn accumulation applicant agreement abode bounded

name>

vpdn accumulation applicant agreement dns []

vpdn accumulation applicant agreement wins []

vpdn accumulation applicant affidavit aaa

vpdn accumulation applicant affidavit local

vpdn accumulation ppp affidavit {pap | buck | mschap}

vpdn accumulation applicant accounting

The aboriginal command turns on processing of L2TP requests.The additional can be

used to configure an L2TP keep-alive timeout, which is 60 abnormal by default

and can alter from 10 to 300 seconds.The added commands are the aforementioned as

www.syngress.com

Configuring Virtual Private Networking • Chapter 7 389

PPTP.We will use the aftermost archetype from the PPTP area (with an external

AAA server) and change the agreement to L2TP.The consistent VPDN configuration

is as follows:

PIX1(config)# ip bounded basin mypool 192.168.5.1-192.168.5.10

PIX1(config)# aaa-server myserver (inside) host 192.168.2.99 key

mysecretkey

PIX1(config)# aaa-server myserver agreement radius

PIX1(config)# vpdn accumulation 1 acquire dialin l2tp

PIX1(config)# vpdn accumulation 1 ppp affidavit mschap

PIX1(config)# vpdn accumulation 1 applicant affidavit aaa myserver

PIX1(config)# vpdn accumulation 1 applicant agreement abode bounded mypool

PIX1(config)# vpdn accumulation 1 applicant agreement dns 192.168.2.33

PIX1(config)# vpdn accumulation 1 applicant agreement wins 192.168.2.34

PIX1(config)# vpdn accredit outside