Пример настройки L2TP-Client на ESR и L2TP-Server на Cisco

Схема:

Задача: Построить L2TP-туннель между маршрутизатором ESR, который является L2TP-Client, и маршрутизатором Cisco-2811, который является L2TP-Server.

Пример конфигурации ESR:

esr# show running-config

object-group service IKE
port-range 500
port-range 4500
exit
object-group service L2TP
port-range 1701
exit

security zone trusted
exit

interface gigabitethernet 1/0/1
security-zone trusted ip address 198.51.100.9/24
exit
tunnel l2tp 1
security-zone trusted authentication method mschap-v2
username user password ascii-text encrypted 8CB5107EA7005AFF
remote address 198.51.100.33
ipsec authentication method pre-shared-key
ipsec authentication pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
ipsec ike proposal ike_prop
ipsec proposal ipsec_prop
enable
exit

security zone-pair trusted self rule 1 action permit match protocol udp match destination-port L2TP enable exit rule 2 action permit match protocol udp match destination-port IKE enable exit rule 3 action permit match protocol esp enable exit exit security zone-pair trusted trusted rule 1 action permit enable exit exit

security ike proposal ike_prop
authentication algorithm sha2-256
encryption algorithm aes192
dh-group 15
exit

security ipsec proposal ipsec_prop
encryption algorithm aes128
exit

Пример конфигурации Cisco-2811:

Router#show running-config

aaa new-model
!
aaa authentication ppp L2TP_SERVER_AUTH local
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username user password 0 password
!
crypto isakmp policy 1
encr aes 192
hash sha256
authentication pre-share
group 15
crypto isakmp key password address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP_IPsec esp-aes esp-sha-hmac
mode transport
!
crypto dynamic-map L2TP_dmap 10
set nat demux
set transform-set L2TP_IPsec
!
crypto map L2TP_map 10 ipsec-isakmp dynamic L2TP_dmap
!
!
!
interface Loopback1
ip address 192.0.2.1 255.255.255.255
!
interface FastEthernet0/1
ip address 198.51.100.33 255.255.255.0
ip virtual-reassembly in
duplex auto
speed auto
crypto map L2TP_map
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool L2TP_pool
ppp authentication ms-chap-v2 L2TP_SERVER_AUTH
!
ip local pool L2TP_pool 192.0.2.2 192.0.2.10

Вывод оперативной информации со стороны ESR при установленном L2TP-туннеле:

esr# show tunnels status
Tunnel Admin Link MTU Local IP Remote IP Last change
state state
---------------- ----- ----- ------ ---------------- ---------------- -------------------------
l2tp 1 Up Up 1500 192.0.2.3 192.0.2.1 25 minutes and 48 seconds
esr# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
l2tp_1(L2TP) 198.51.100.9 198.51.100.33 0xe5f556c53c1ab8b4 0x7ad68586ac74208a Established

esr# show security ipsec vpn status l2tp_1
Currently active IKE SA:
Name: l2tp_1(L2TP)
State: Established
Version: v1-only
Unique ID: 2
Local host: 198.51.100.9
Remote host: 198.51.100.33
Role: Initiator
Initiator spi: 0xe5f556c53c1ab8b4
Responder spi: 0x7ad68586ac74208a
Encryption algorithm: aes192
Authentication algorithm: sha2-256
Diffie-Hellman group: 15
Established: 28 minutes and 51 seconds ago
Rekey time: 28 minutes and 51 seconds
Reauthentication time: 28 minutes and 51 seconds
Child IPsec SAs:
Name: l2tp_1-2(L2TP)
State: Installed
Protocol: esp
Mode: Transport
Encryption algorithm: aes128
Authentication algorithm: sha1
Rekey time: 28 minutes and 51 seconds
Life time: 28 minutes and 51 seconds
Established: 28 minutes and 51 seconds ago
Traffic statistics:
Input bytes: 11619
Output bytes: 11176
Input packets: 387
Output packets: 386
-------------------------------------------------------------

Вывод оперативной информации со стороны Cisco-2811 при установленном L2TP-туннеле:

Router#show vpdn tunnel l2tp

L2TP Tunnel Information Total tunnels 1 sessions 1

LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
23511 6041 esr-21 est 198.51.100.9 1 L2TP

Router#show crypto ipsec sa

interface: FastEthernet0/1
Crypto map tag: L2TP_map, local addr 198.51.100.33

protected vrf: (none)
local ident (addr/mask/prot/port): (198.51.100.33/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (198.51.100.9/255.255.255.255/17/0)
current_peer 198.51.100.9 port 500
PERMIT, flags={}
#pkts encaps: 316, #pkts encrypt: 316, #pkts digest: 316
#pkts decaps: 315, #pkts decrypt: 315, #pkts verify: 315
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 198.51.100.33, remote crypto endpt.: 198.51.100.9
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xC2AB5810(3266009104)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x4FBAC0CD(1337639117)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: FPGA:1, sibling_flags 80000006, crypto map: L2TP_map
sa timing: remaining key lifetime (k/sec): (4420342/2204)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC2AB5810(3266009104)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: FPGA:2, sibling_flags 80000006, crypto map: L2TP_map
sa timing: remaining key lifetime (k/sec): (4420340/2204)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Дерево страниц

Пример настройки L2TP-Client на ESR и L2TP-Server на Cisco