Схема:
Задача: Построить L2TP-туннель между маршрутизатором ESR, который является L2TP-Client, и маршрутизатором Mikrotik, который является L2TP-Server.
Для построения IPsec в схеме с L2TP-туннелем между ESR и Mikrotik - в конфигурации tunnel l2tp на маршрутизаторе ESR необходимо включить ipsec ike rekey enable:
esr# configure
esr(config)# tunnel l2tp 1
esr(config-l2tp)# ipsec ike rekey enable
Данная команда поддержана с версии ПО 1.17.0!!!
Пример конфигурации ESR:
object-group service IKE port-range 500 port-range 4500exitobject-group service L2TP port-range 1701exit
security zone trustedexit
interface gigabitethernet 1/0/1 security-zone trusted ip address 198.51.100.10/24exittunnel l2tp 1 security-zone trusted authentication method mschap-v2 username user password ascii-text encrypted 8CB5107EA7005AFF remote address 198.51.100.1 ipsec authentication method pre-shared-key ipsec authentication pre-shared-key ascii-text encrypted 8CB5107EA7005AFF ipsec ike rekey enable ipsec ike proposal l2tp ipsec proposal l2tp enableexit
security zone-pair trusted self rule 1 action permit match protocol udp match destination-port L2TP enable exit rule 2 action permit match protocol udp match destination-port IKE enable exit rule 3 action permit match protocol esp enable exitexitsecurity zone-pair trusted trusted rule 1 action permit enable exitexit
security ike proposal l2tp authentication algorithm sha2-256 encryption algorithm aes128 dh-group 15exit
security ipsec proposal l2tp authentication algorithm sha2-256 encryption algorithm aes128 pfs dh-group 15exit
Пример конфигурации Mikrotik в WEB:
Вывод оперативной информации со стороны ESR при установленном L2TP-туннеле:
esr# show tunnels status Tunnel Admin Link MTU Local IP Remote IP Last change state state ---------------- ----- ----- ------ ---------------- ---------------- ------------------------- l2tp 1 Up Up 1450 192.0.2.10 192.0.2.1 1 minute and 58 seconds esr# show security ipsec vpn status Name Local host Remote host Initiator spi Responder spi State ------------------------------- --------------- --------------- ------------------ ------------------ ----------- l2tp_1(L2TP) 198.51.100.10 198.51.100.1 0x94adf3014dad6193 0x6a3a5b68224e2dad Established esr# show ip route Codes: C - connected, S - static, R - RIP derived, O - OSPF derived, IA - OSPF inter area route, E1 - OSPF external type 1 route, E2 - OSPF external type 2 route B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - FIB route
S * 0.0.0.0/0 [50/0] dev l2tp 1 [static 07:19:14] C * 198.51.100.0/24 [0/0] dev gi1/0/1 [direct 2023-09-01] C * 192.0.2.1/32 [0/0] dev l2tp 1 [direct 07:19:14] C * 192.0.2.10/32 [0/0] dev l2tp 1 [direct 07:19:14]