Description:
L2TPv3 (Layer 2 Tunneling Protocol Version 3) is a protocol for tunneling Layer 2 packets of the OSI model between two IP nodes. The ESR router implements static unmanaged L2TPv3 tunnels, that is, tunnels are created manually by configuring on local and remote nodes. The tunnel parameters on each side must be mutually consistent or the transferred data will not be decapsulated by the partner. Within the framework of one L2TPv3, it is possible to transmit traffic of one broadcast domain (VLAN).
For secure transmission on the Internet, it is possible to use IPsec encryption.
ESR-1 Configuration:
ESR-1# sh ru object-group service L2TPV3 port-range 514 exit object-group service ISAKMP port-range 500 port-range 4500 exit system fan-speed auto vlan 50 exit security zone untrusted exit bridge 10 vlan 50 enable exit interface gigabitethernet 1/0/1 security-zone untrusted ip address 192.0.2.1/24 exit interface gigabitethernet 1/0/2 mode switchport bridge-group 10 exit tunnel l2tpv3 1 protocol udp local port 514 remote port 514 local session-id 12 remote session-id 12 bridge-group 10 local address 192.0.2.1 remote address 198.51.100.1 enable exit security zone-pair untrusted self rule 1 action permit match protocol udp match destination-port L2TPV3 enable exit rule 2 action permit match protocol udp match destination-port ISAKMP enable exit rule 3 action permit match protocol esp enable exit exit security ike proposal IKEPROP authentication algorithm sha2-256 encryption algorithm aes256 exit security ike policy IKEPOL pre-shared-key ascii-text encrypted 8CB5107EA7005AFF proposal IKEPROP exit security ike gateway IKEGW ike-policy IKEPOL local address 192.0.2.1 local network 192.0.2.1/32 protocol udp port 514 remote address 198.51.100.1 remote network 198.51.100.1/32 protocol udp port 514 mode policy-based exit security ipsec proposal IPSECPROP authentication algorithm sha2-256 encryption algorithm aes256 exit security ipsec policy IPSECPOL proposal IPSECPROP exit security ipsec vpn L2TPV3 mode ike ike establish-tunnel route ike gateway IKEGW ike ipsec-policy IPSECPOL enable exit ip route 198.51.100.0/24 192.0.2.2
ESR-2 Configuration:
esr-1200# sh ru object-group service L2TPV3 port-range 514 exit object-group service ISAKMP port-range 500 port-range 4500 exit system fan-speed auto vlan 50 exit security zone untrusted exit security zone trusted exit bridge 10 vlan 50 enable exit interface gigabitethernet 1/0/1 security-zone untrusted ip address 198.51.100.1/24 exit interface gigabitethernet 1/0/2 mode switchport bridge-group 10 exit tunnel l2tpv3 1 protocol udp local port 514 remote port 514 local session-id 12 remote session-id 12 bridge-group 10 local address 198.51.100.1 remote address 192.0.2.1 enable exit security zone-pair untrusted self rule 1 action permit match protocol udp match destination-port L2TPV3 enable exit rule 2 action permit match protocol udp match destination-port ISAKMP enable exit rule 3 action permit match protocol esp enable exit exit security ike proposal IKEPROP authentication algorithm sha2-256 encryption algorithm aes256 exit security ike policy IKEPOL pre-shared-key ascii-text encrypted 8CB5107EA7005AFF proposal IKEPROP exit security ike gateway IKEGW ike-policy IKEPOL local address 198.51.100.1 local network 198.51.100.1/32 protocol udp port 514 remote address 192.0.2.1 remote network 192.0.2.1/32 protocol udp port 514 mode policy-based exit security ipsec proposal IPSECPROP authentication algorithm sha2-256 encryption algorithm aes256 exit security ipsec policy IPSECPOL proposal IPSECPROP exit security ipsec vpn L2TPV3 mode ike ike establish-tunnel route ike gateway IKEGW ike ipsec-policy IPSECPOL enable exit ip route 192.0.2.0/24 198.51.100.2
Diagnostics of ESR-1:
ESR-1# sh security ipsec vpn status L2TPV3
Currently active IKE SA:
Name: L2TPV3
State: Established
Version: v1-only
Unique ID: 5
Local host: 192.0.2.1
Remote host: 198.51.100.1
Role: Initiator
Initiator spi: 0x5748f43370ef2882
Responder spi: 0xcc8c76bb315e0bce
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 1
Established: 1 hour, 12 minutes and 56 seconds ago
Rekey time: 1 hour, 12 minutes and 56 seconds
Reauthentication time: 1 hour, 37 minutes and 12 seconds
Child IPsec SAs:
Name: L2TPV3-4
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time: 18 minutes and 11 seconds
Life time: 31 minutes and 54 seconds
Established: 28 minutes and 6 seconds ago
Traffic statistics:
Input bytes: 176289
Output bytes: 176289
Input packets: 1554
Output packets: 1554
ESR-1# sh tunnels status l2tpv3
Tunnel Admin Link MTU Local IP Remote IP Last change
state state
---------------- ----- ----- ------ ---------------- ---------------- -------------------------
l2tpv3 1 Up Up 1500 192.0.2.1 198.51.100.1 1 hour, 51 minutes and 29
seconds
ESR-1# monitor bridge 10
17:01:55.642785 a8:f9:4b:ac:9f:36 > a8:f9:4b:aa:b3:57, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 57740, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.250.10 > 172.16.250.200: ICMP echo request, id 29, seq 253, length 64
17:01:55.643184 a8:f9:4b:aa:b3:57 > a8:f9:4b:ac:9f:36, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 26751, offset 0, flags [none], proto ICMP (1), length 84)
172.16.250.200 > 172.16.250.10: ICMP echo reply, id 29, seq 253, length 64
ESR-1# monitor gigabitethernet 1/0/1
17:06:16.088063 a8:f9:4b:aa:d3:84 > a8:f9:4b:aa:38:21, ethertype IPv4 (0x0800), length 218: (tos 0x0, ttl 64, id 6647, offset 0, flags [none], proto ESP (50), length 204)
192.0.2.1 > 198.51.100.1: ESP(spi=0xc9a830da,seq=0x4f7), length 184
17:06:16.088418 a8:f9:4b:aa:38:21 > a8:f9:4b:aa:d3:84, ethertype IPv4 (0x0800), length 218: (tos 0x0, ttl 63, id 8900, offset 0, flags [none], proto ESP (50), length 204)
198.51.100.1 > 192.0.2.1: ESP(spi=0xc2cd98dd,seq=0x4f7), length 184
ESR-1# monitor l2tpv3 1
17:06:37.122743 a8:f9:4b:ac:9f:36 > a8:f9:4b:aa:b3:57, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 6714, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.250.10 > 172.16.250.200: ICMP echo request, id 29, seq 534, length 64
17:06:37.124749 a8:f9:4b:aa:b3:57 > a8:f9:4b:ac:9f:36, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 61854, offset 0, flags [none], proto ICMP (1), length 84)
172.16.250.200 > 172.16.250.10: ICMP echo reply, id 29, seq 534, length 64
Diagnostics of ESR-2:
ESR-2# monitor l2tpv3 1
17:07:33.758424 a8:f9:4b:ac:9f:36 > a8:f9:4b:aa:b3:57, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 9250, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.250.10 > 172.16.250.200: ICMP echo request, id 29, seq 591, length 64
17:07:33.758569 a8:f9:4b:aa:b3:57 > a8:f9:4b:ac:9f:36, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 4309, offset 0, flags [none], proto ICMP (1), length 84)
172.16.250.200 > 172.16.250.10: ICMP echo reply, id 29, seq 591, length 64
ESR-2# monitor bridge 10
17:07:52.789312 a8:f9:4b:ac:9f:36 > a8:f9:4b:aa:b3:57, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 9982, offset 0, flags [DF], proto ICMP (1), length 84)
172.16.250.10 > 172.16.250.200: ICMP echo request, id 29, seq 610, length 64
17:07:52.789465 a8:f9:4b:aa:b3:57 > a8:f9:4b:ac:9f:36, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 7065, offset 0, flags [none], proto ICMP (1), length 84)
172.16.250.200 > 172.16.250.10: ICMP echo reply, id 29, seq 610, length 64
ESR-2# sh security ipsec vpn status L2TPV3
Currently active IKE SA:
Name: L2TPV3
State: Established
Version: v1-only
Unique ID: 5
Local host: 198.51.100.1
Remote host: 192.0.2.1
Role: Responder
Initiator spi: 0x5748f43370ef2882
Responder spi: 0xcc8c76bb315e0bce
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Diffie-Hellman group: 1
Established: 1 hour, 11 minutes and 57 seconds ago
Rekey time: 1 hour, 11 minutes and 57 seconds
Reauthentication time: 1 hour, 35 minutes and 7 seconds
Child IPsec SAs:
Name: L2TPV3-4
State: Installed
Protocol: esp
Mode: Tunnel
Encryption algorithm: aes256
Authentication algorithm: sha2-256
Rekey time: 15 minutes and 41 seconds
Life time: 32 minutes and 53 seconds
Established: 27 minutes and 7 seconds ago
Traffic statistics:
Input bytes: 165312
Output bytes: 165312
Input packets: 1465
Output packets: 1465
ESR-2# sh tunnels status l2tpv3
Tunnel Admin Link MTU Local IP Remote IP Last change
state state
---------------- ----- ----- ------ ---------------- ---------------- -------------------------
l2tpv3 1 Up Up 1500 198.51.100.1 192.0.2.1 1 hour, 15 minutes and 20
seconds