I keep it whenever I need to implement L2tp over IPsec on Cisco routers.
Spoke config
--------------
l2tp-class l2tpclass1 ! pseudowire-class pwclass1 encapsulation l2tpv2 ip local interface FastEthernet0/0 ! interface Virtual-PPP10 ip address negotiated no peer neighbor-route no cdp enable ppp authentication pap callin ppp pap sent-username cisco password 0 cisco pseudowire 1.1.1.1 31 pw-class pwclass1 ! dialer-list 31 protocol ip permit ip route 10.0.0.0 255.0.0.0 Virtual-PPP10
--------------
HUB config
--------------
vpdn enable vpdn tunnel accounting network default vpdn session accounting network default ! vpdn-group DailIn-L2TP/IPsec ! Default L2TP VPDN group accept-dialin protocol l2tp virtual-template 100 lcp renegotiation on-mismatch no l2tp tunnel authentication l2tp tunnel timeout setup 60 ip pmtu ! ! username cisco privilege 15 password cisco ! crypto keyring RING pre-shared-key address 0.0.0.0 0.0.0.0 key cisco ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth crypto isakmp keepalive 30 5 crypto isakmp aggressive-mode disable crypto isakmp profile L2TP description L2TP/IPsec HW CLients Profile keyring RING match identity address 0.0.0.0 ! ! crypto ipsec transform-set ICW esp-aes 256 esp-sha-hmac mode transport
crypto dynamic-map CryDynMapICW 10 set nat demux set security-association lifetime kilobytes 3145728 set transform-set ICW set pfs group5 set isakmp-profile L2TP reverse-route ! ! crypto map CryMapICW local-address Ethernet0/0 crypto map CryMapICW 10 ipsec-isakmp dynamic CryDynMapICW ! ! interface Loopback100 description L2TP Address ip address 10.255.0.1 255.255.255.255 ! interface Ethernet0/0 ip address 1.1.1.1 255.255.255.0 crypto map CryMapICW ! interface Virtual-Template100 ip unnumbered Loopback100 peer default ip address pool L2TPOOL ppp chap hostname cisco ppp chap password 0 cisco ! ip local pool L2TPOOL 5.5.5.1 5.5.5.254
------------------
No comments:
Post a Comment