Setting up a Cisco router for terminating Microsoft L2TP IPSec sessions

 l2tp_ipsec_dialin

For this example i used a Cisco 1841 running c1841-advsecurityk9-mz.124-3i.bin

  • Remote User connects to gate’s puplic reachable IP with his Microsoft L2TP IPSec client (Windows 2000 and higher)
  • After successful authentication, the Client gets an IP address from local pool
  • MS L2TP-IPSec-Client adds a default route over the new PPP interface (but you can deactivate it)

Here’s the template for router gate:

aaa new-model
aaa authentication ppp VPDN_AUTH local
vpdn enable
vpdn-group L2TP
! Default L2TP VPDN group
description VPDN-Gruppe fuer Microsoft L2TP-IPSec-Clients
accept-dialin
protocol l2tp
virtual-template 2
no l2tp tunnel authentication
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key keykeykey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set MS_IPSEC esp-3des esp-md5-hmac
mode transport
crypto dynamic-map MS_DYN_MAP 1
 ! mit dem naechsten Befehl wird lt. Cisco L2TP-IPSec "aktiviert"
 set nat demux
set transform-set MS_IPSEC
crypto map IPSEC_ISAKMP_MAP 6000 ipsec-isakmp dynamic MS_DYN_MAP
interface Loopback2
description Loopback fuer IPSEC-Pool
ip address 192.168.3.1 255.255.255.255
interface xxx
description Interface mit öffentlich erreichbarer IP
ip address <IP> <Netzmaske>
crypto map IPSEC_ISAKMP_MAP
interface Virtual-Template2
ip unnumbered Loopback2
peer default ip address pool IPSEC_POOL
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2 VPDN_AUTH
ip local pool IPSEC_POOL 192.168.3.2 192.168.3.254
! DNS und NetBIOS/WINS-Server (optional):
async-bootp dns-server 192.168.1.1
async-bootp nbns-server 192.168.1.2

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>