Схема:
Задача: Построить L2TP-туннель между маршрутизатором ESR, который является L2TP-Client, и маршрутизатором Mikrotik, который является L2TP-Server.
Для построения IPsec в схеме с L2TP-туннелем между ESR и Mikrotik - в конфигурации tunnel l2tp на маршрутизаторе ESR необходимо включить ipsec ike rekey enable:
esr# configure
esr(config)# tunnel l2tp 1
esr(config-l2tp)# ipsec ike rekey enable
Данная команда поддержана с версии ПО 1.17.0!!!
Пример конфигурации ESR:
object-group service IKE
port-range 500
port-range 4500
exit
object-group service L2TP
port-range 1701
exit
security zone trusted
exit
interface gigabitethernet 1/0/1
security-zone trusted
ip address 198.51.100.10/24
exit
tunnel l2tp 1
security-zone trusted
authentication method mschap-v2
username user password ascii-text encrypted 8CB5107EA7005AFF
remote address 198.51.100.1
ipsec authentication method pre-shared-key
ipsec authentication pre-shared-key ascii-text encrypted 8CB5107EA7005AFF
ipsec ike rekey enable
ipsec ike proposal l2tp
ipsec proposal l2tp
enable
exit
security zone-pair trusted self
rule 1
action permit
match protocol udp
match destination-port L2TP
enable
exit
rule 2
action permit
match protocol udp
match destination-port IKE
enable
exit
rule 3
action permit
match protocol esp
enable
exit
exit
security zone-pair trusted trusted
rule 1
action permit
enable
exit
exit
security ike proposal l2tp
authentication algorithm sha2-256
encryption algorithm aes128
dh-group 15
exit
security ipsec proposal l2tp
authentication algorithm sha2-256
encryption algorithm aes128
pfs dh-group 15
exit
Пример конфигурации Mikrotik в WEB:
Вывод оперативной информации со стороны ESR при установленном L2TP-туннеле:
esr# show tunnels status
Tunnel Admin Link MTU Local IP Remote IP Last change
state state
---------------- ----- ----- ------ ---------------- ---------------- -------------------------
l2tp 1 Up Up 1450 192.0.2.10 192.0.2.1 1 minute and 58 seconds
esr# show security ipsec vpn status
Name Local host Remote host Initiator spi Responder spi State
------------------------------- --------------- --------------- ------------------ ------------------ -----------
l2tp_1(L2TP) 198.51.100.10 198.51.100.1 0x94adf3014dad6193 0x6a3a5b68224e2dad Established
esr# show ip route
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - FIB route
S * 0.0.0.0/0 [50/0] dev l2tp 1 [static 07:19:14]
C * 198.51.100.0/24 [0/0] dev gi1/0/1 [direct 2023-09-01]
C * 192.0.2.1/32 [0/0] dev l2tp 1 [direct 07:19:14]
C * 192.0.2.10/32 [0/0] dev l2tp 1 [direct 07:19:14]