Configuring IPSec to L2VPN

The IPSec to L2VPN model is very similar to the IPSec to MPLS topology, except the service provider has an L2 core instead of an MPLS core. The L2 core can be Frame Relay, ATM, 802.1q, or wireless.

This configuration enables a Layer 2 service provider to extend secured access service beyond its core into the internet. As in the IPSec to MPLS model, the sessions are terminated on the IPSec Aggregator. Using the Multi-VRF CE feature, users are mapped into an L2 infrastructure.

At an L3 level, the IPSec aggregator connects directly to the customer site that has L2 service. The service provider does not need to address the customer routing issue in its core. The IPSec aggregator and the L2 customer site can use either static routes or a dynamic routing protocol to establish end-to-end connectivity.

Before You Begin

The procedures provided here are specific to configuring IPSec to L2VPN and are based on the following assumptions:

1. That the following setup and configuration tasks have already been completed:

Setup of the core MPLS network
Setup of the customer VPN
Configuration of the links between the PE and the CE
Customer-specific information is complete

That you have a good understanding of the architecture and features you are using and that you have selected the means you will use to implement those features (for example, which of several strategies to use for address management or for user authentication and authorization).

IPSec to L2VPN Configuration Checklist

This section deals with configuring the router to function as the IPSec aggregator.

Procedures for competing each task are described in the sections that follow. If you are viewing this document online, you can click highlighted text to view details on the procedure.

Table 3-1 IPSec to L2VPN Configuration Checklist

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Enable CEF Switching

Task 4: Configure the Keyring

Task 5: Configure ISAKMP Policy

Task 6: Configure DPD Keepalives

Task 7: Configure Client Group for Local Authorization

Task 8: Configure ISAKMP Profile for VPN Sites

Task 9: Configure Dynamic VRF Association for VPN Sites

Task 10: Configure ISAKMP Profile for VPN Clients

Task 11: Configure Dynamic VRF Association for VPN Clients

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

Task 13: Configure the Transform Set for Data Encryption

Task 14: Configure Dynamic Crypto Map and Apply Transform Set

Task 15: Configure ISAKMP Client Profile Reference

Task 16: Configure RRI

Task 17: Configure Static Crypto Map for Sites

Task 18: Configure ISAKMP Site Profile Reference

Task 19: Configure Dynamic Crypto Map for Clients

Task 20: Configure Internet-Facing Interface and Corresponding Crypto Maps

Task 21: Configure Interface for L2VPN

Task 22: Configure Pool to Distribute IP Addresses to VPN Clients

Task 23: Configure Static Routes for Public IP Addresses

Task 24: Configure Static VPN Routes If No IGP Within VPN

Task 25: Configure the Crypto Access List to Define Traffic to be Encrypted

IPSec to L2VPN Configuration Tasks

Typical IPSec to L2VPN configuration tasks are shown below. See IPSec to L2VPN Configuration Sample.

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

	Command	Purpose
Step 1	aaa authentication login	Set authentication, authorization, and accounting (AAA) authentication at login.
Step 2	aaa authorization	Set parameters that restrict user access to a network.

Task 2: Configure the VRFs

	Command	Purpose
Step 1	ip vrf	Configure a VPN routing and forwarding (VRF) routing table.
Step 2	rd route-distinguisher	Create routing and forwarding tables for a VRF.

Task 3: Enable CEF Switching

	Command	Purpose
Step 1	ip cef	Enable Cisco Express Forwarding (CEF).
Step 2	tag-switching ip default-route	Enable the distribution of labels associated with the IP default route.

Task 4: Configure the Keyring

	Command	Purpose
Step 1	crypto keyring keyring-name [vrf fvrf]	Configure a new keyring for the shared secret keys to be used during Internet Key Exchange (IKE) authentication.
Step 2	pre-shared-key {address address [mask] \| hostname hostname} key key	Configure the addressed preshared key to be used during IKE) authentication.

Task 5: Configure ISAKMP Policy

	Command	Purpose
Step 1	crypto isakmp policy priority	Configure an IKE policy.
Step 2	encryption {des \| 3des \| aes \| aes 192 \| aes 256}	Specify the encryption algorithm within an IKE policy.
Step 3	authentication {rsa-sig \| rsa-encr \| pre-share}	Specify the authentication method within an IKE policy.

Task 6: Configure DPD Keepalives

	Command	Purpose
	crypto isakmp keepalive secs retries	Allow the gateway to send dead peer detection (DPD) messages to the router.

Task 7: Configure Client Group for Local Authorization

	Command	Purpose
Step 1	crypto isakmp client configuration group {group-name \| default}	Specify which group's policy profile will be defined.
Step 2	key name	Configure the IKE preshared key for group policy attribute definition.
Step 3	pool (name)	Configure a local pool address.

Task 8: Configure ISAKMP Profile for VPN Sites

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Task 9: Configure Dynamic VRF Association for VPN Sites

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VPN routing and forwarding instance (VRF) name.
Step 2	keyring keyring-name	Associate a keyring with an ISAKMP profile.
Step 3	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.

Task 10: Configure ISAKMP Profile for VPN Clients

	Command	Purpose
	crypto isakmp profile profile-name	Define an ISAKMP profile for a VPN.

Note You can configure the Remote sites to match each peer using sequence numbers in the crypto map definition.You can match the peer on IP address or the hostname. The IP address match list for traffic to be encrypted is also defined for each peer. In case of VPN clients, the dynamic profile defined earlier is used to match the clients.

Task 11: Configure Dynamic VRF Association for VPN Clients

	Command	Purpose
Step 1	vrf name	Associate the on-demand address pool with a VPN VRF name.
Step 2	match identity group-name	Match an acceptable Phase 1 identity from a peer to a Unity group.

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

	Command	Purpose
Step 1	client authentication list list-name	Configure IKE extended authentication (Xauth) on your router. The list-name must match the list-name defined during AAA configuration
Step 2	isakmp authorization list list-name	Configure group authorization IKE querying of AAA for tunnel attributes in aggressive mode.
Step 3	client configuration address [initiate \| respond]	Configure IKE Mode Configuration (Mode-Config).

Task 13: Configure the Transform Set for Data Encryption

	Command	Purpose
	crypto IPSec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]	Define the transform set.

Task 14: Configure Dynamic Crypto Map and Apply Transform Set

	Command	Purpose
Step 1	crypto dynamic-map dynamic-map-name dynamic-seq-num	Create a dynamic crypto map entry and enter the crypto map configuration command mode.
Step 2	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 15: Configure ISAKMP Client Profile Reference

	Command	Purpose
	set isakmp-profile profile-name	Set the ISAKMP profile name for client.

Task 16: Configure RRI

	Command	Purpose
	reverse-route [remote-peer]	Create source proxy information for a crypto map entry through RRI.

Task 17: Configure Static Crypto Map for Sites

	Command	Purpose
Step 1	crypto map map-name seq-num [IPSec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.
Step 2	set peer {hostname \| ip-address}	Specify an IP Security peer in a crypto map entry.
Step 3	set transform-set transform-set-name	Specify which transform sets can be used with the crypto map entry.

Task 18: Configure ISAKMP Site Profile Reference

	Command	Purpose
Step 1	set isakmp-profile profile-name	Set the ISAKMP profile name reference.
Step 2	match identity address address [mask] [fvrf]	Match an acceptable Phase 1 identity from a peer to a particular ISAKMP profile.

Task 19: Configure Dynamic Crypto Map for Clients

	Command	Purpose
	crypto map map-name seq-num [IPSec-isakmp]	Create a crypto map entry that uses IKE to establish the IPSec SAs for protecting the traffic specified by this crypto map entry.

Task 20: Configure Internet-Facing Interface and Corresponding Crypto Maps

	Command	Purpose
Step 1	interface type	Configure a loopback interface (emulates an interface that is always up).
Step 2	ip address ip-address mask	Set an IP address for an interface.
Step 3	encapsulation dot1q vlan-id [native]	Enable IEEE 802.1Q encapsulation of traffic on a specified subinterface in a virtual LAN (VLAN).
Step 4	crypto map map-name	Apply a previously defined crypto map set to an interface.

Note Each interface services one VPN as the IPSec tunnel endpoint for both the sites and clients.

Task 21: Configure Interface for L2VPN

	Command	Purpose
Step 1	interface type slot/port.subinterface-number [multipoint \| point-to-point]	Configure an interface type and enter interface configuration mode.
Step 2	ip vrf forwarding vrf-name	Associate a VRF instance with an interface or subinterface.
Step 3	ip address ip-address mask	Set an IP address for an interface.
Step 4	pvc [name] vpi/vci [ces \| ilmi \| qsaal \| smds]	Create an ATM permanent virtual circuit (PVC).

Task 22: Configure Pool to Distribute IP Addresses to VPN Clients

	Command	Purpose
	ip local pool {default \| pool-name low-ip-address [high-ip-address]}	Configure a local pool of IP addresses to be used when a remote peer connects to a point-to-point interface.

Task 23: Configure Static Routes for Public IP Addresses

	Command	Purpose
	ip route network-number network-mask {ip-address \| interface-name} [distance] [name name]	Establish static routes and define the next hop for large-scale dial-out.

Task 24: Configure Static VPN Routes If No IGP Within VPN

	Command	Purpose
	ip route vrf vrf-name prefix mask [next-hop-address] [interface {interface-number}] [global] [distance] [permanent] [tag tag]	Establish static routes for a VRF instance.

Task 25: Configure the Crypto Access List to Define Traffic to be Encrypted

	Command	Purpose
	access-list access-list-number {deny \| permit} source [source-wildcard] [log]	Configure a standard IP access list.

IPSec to L2VPN Configuration Sample

Figure 3-1 illustrates the following IPSec to MPLS configuration.

Figure 3-1
IPSec to L2VPN Configuration

 
pe1#sh run

 
Building configuration...

 
Current configuration : 3874 bytes

!

 
version 12.2

 
service timestamps debug datetime msec

 
service timestamps log datetime msec

 
no service password-encryption

 
hostname pe1

 
enable password cisco

!

 
username cisco password 0 cisco

 
aaa new-model

Step 1 Configure authentication and authorization list for clients to RADIUS.

 
aaa authentication login localist local

 
aaa authorization network localist local

 
aaa session-id common

 
ip subnet-zero

 
no ip domain lookup

Step 2 Configure VRFs.

 
ip vrf vpn1

 
 rd 100:1

Step 3 Enable CEF switching.

 
ip cef

 
tag-switching ip default-route

Step 4 Configure Keyring.

 
crypto keyring vpn1

 
  pre-shared-key address 20.1.1.1 key cisco123

 
  pre-shared-key address 40.1.1.2 key cisco123

Step 5 Configure ISAKMP policy.

 
crypto isakmp policy 1

 
 authentication pre-share

 
 group 2

!

 
crypto isakmp policy 2

 
 encr 3des

 
 authentication pre-share

Step 6 Configure DPD keepalives.

 
crypto isakmp keepalive 30

 
crypto isakmp xauth timeout 30

Step 7 Configure client group for local authorization.

 
crypto isakmp client configuration group ezvpn

 
 key cisco123

 
 pool hw-pool

Step 8 Configure ISAKMP profile for VPN sites.

 
crypto isakmp profile vpn1

Step 9 Configure dynamic VRF association.

 
   vrf vpn1

 
   keyring vpn1

 
   match identity address 20.1.1.1 255.255.255.255

 
   match identity address 40.1.1.2 255.255.255.255

Step 10 Configure ISAKMP profile for VPN clients.

 
crypto isakmp profile vpn1-ez

Step 11 Configure dynamic VRF association.

 
vrf vpn1

 
   match identity group ezvpn

Step 12 Configure XAUTH, group authorization, and mode-config.

 
   client authentication list localist

 
   isakmp authorization list localist

 
   client configuration address respond

Step 13 Configure the transform set

 
crypto IPSec transform-set tset1 esp-3des esp-sha-hmac

!

Step 14 Configure dynamic crypto map.

 
crypto dynamic-map dyna 1

 
 set security-association idle-time 3600

 
 set transform-set tset1

Step 15 Configure ISAKMP client profile reference.

 
 set isakmp-profile vpn1-ez

Step 16 Configure RRI.

 
 reverse-route

Step 17 Configure static crypto map for a site.

 
crypto map vpn 10 IPSec-isakmp

 
 set peer 20.1.1.1

 
 set transform-set tset1

Step 18 Configure ISAKMP site profile reference.

 
 set isakmp-profile vpn1

 
 match address 101

Step 19 Configure dynamic crypto map for clients.

 
crypto map vpn 1000 IPSec-isakmp dynamic dyna

!

 
interface FastEthernet2/0

 
 no ip address

 
 duplex auto

 
 speed auto

Step 20 Configure Internet facing interface and corresponding crypto maps.

 
interface FastEthernet2/0.1

 
 encapsulation dot1Q 10

 
 ip address 30.1.1.2 255.255.255.0

 
 crypto map vpn

!

 
interface ATM6/0

 
 no ip address

 
 no atm ilmi-keepalive

Step 21 Configure the interface for L2VPN.

 
interface ATM6/0.1 point-to-point

 
 ip vrf forwarding vpn1

 
 ip address 125.1.30.1 255.255.255.252

 
 pvc 0/100

Step 22 Configure the pool to distribute IP addresses to VPN clients.

 
ip local pool hw-pool 192.168.1.1 192.168.1.254

 
ip classless

Step 23 Configure static routes for public IP addresses.

 
ip route 0.0.0.0 0.0.0.0 FastEthernet2/0.1 30.1.1.1

Step 24 Configure static VPN routes if not using a IGP within the VPN.

 
ip route vrf vpn1 101.1.1.0 255.255.255.0 30.1.1.1 global

 
ip route vrf vpn1 101.1.2.0 255.255.255.0 125.1.10.2

 
no ip http server

 
no ip http secure-server

Step 25 Configure the crypto access list to define traffic to be encrypted.

 
access-list 101 permit ip 101.1.2.0 0.0.0.255 101.1.1.0 0.0.0.255

Note You can run VRF aware routing protocols like EBPG, RIP, STATIC and OSPF between the routers.

Table of Contents

IPSec to L2VPN Service Model

Configuring the IPSec to L2VPN Service Model

Before You Begin

IPSec to L2VPN Configuration Checklist

IPSec to L2VPN Configuration Tasks

Task 1: Configure Authentication and Authorization Lists for Clients to RADIUS

Task 2: Configure the VRFs

Task 3: Enable CEF Switching

Task 4: Configure the Keyring

Task 5: Configure ISAKMP Policy

Task 6: Configure DPD Keepalives

Task 7: Configure Client Group for Local Authorization

Task 8: Configure ISAKMP Profile for VPN Sites

Task 9: Configure Dynamic VRF Association for VPN Sites

Task 10: Configure ISAKMP Profile for VPN Clients

Task 11: Configure Dynamic VRF Association for VPN Clients

Task 12: Configure XAUTH, Group Authorization, and Mode-Config

Task 13: Configure the Transform Set for Data Encryption

Task 14: Configure Dynamic Crypto Map and Apply Transform Set

Task 15: Configure ISAKMP Client Profile Reference

Task 16: Configure RRI

Task 17: Configure Static Crypto Map for Sites

Task 18: Configure ISAKMP Site Profile Reference

Task 19: Configure Dynamic Crypto Map for Clients

Task 20: Configure Internet-Facing Interface and Corresponding Crypto Maps

Task 21: Configure Interface for L2VPN

Task 22: Configure Pool to Distribute IP Addresses to VPN Clients

Task 23: Configure Static Routes for Public IP Addresses

Task 24: Configure Static VPN Routes If No IGP Within VPN

Task 25: Configure the Crypto Access List to Define Traffic to be Encrypted

IPSec to L2VPN Configuration Sample