Downloads |
Table Of Contents
Configuring Additional VPDN Features
Information About Configuring Additional VPDN Features
L2TP Security for the Protection of VPDN Tunnels
MTU Tuning for L2TP VPDN Tunnels
MTU Tuning Using IP MTU Adjustments
MTU Tuning Using Path MTU Discovery
MTU Tuning Using TCP MSS Advertising
MTU Tuning Using PPP MRU Advertising
QoS Classification Preservation
IP Precedence for VPDN Tunnels
ToS Classification for VPDN Tunnels
How to Configure Additional VPDN Features
Configuring a Dial-Out L2TP VPDN
L2TP Dial-Out Connection Establishment
L2TP Dial-Out Load Balancing and Redundancy
Prerequisites for Configuring a Dial-Out L2TP VPDN
Restrictions for Configuring a Dial-Out L2TP VPDN
Configuring the Tunnel Server to Request Dial-Out
Configuring the Dialer on the Tunnel Server
Configuring the NAS to Accept Dial-Out
Configuring the Dialer on the NAS
Configuring L2TP Security for VPDN Tunnels
L2TP Security with NAS-Initiated VPDN Tunnels
L2TP Security with Client-Initiated VPDN Tunnels
Prerequisites for L2TP Security
Configuring IPSec Protection of an L2TP Tunnel
Verifying IPSec Protection of L2TP VPDN Tunnels
Verifying Establishment of the Crypto Socket
Verifying the Crypto Map Configuration
Verifying Encryption and Decryption of L2TP Packets
Associating a VPDN Group with a VPDN Template
Disassociating a VPDN Group from the VPDN Template
Configuring the VPDN Source IP Address
Configuring the Global VPDN Source IP Address
Configuring the Source IP Address for a VPDN Group
Configuring VRF-Aware VPDN Tunneling
Configuring VRF-Aware VPDN Tunneling Locally
Configuring VRF-Aware VPDN Tunneling on the Remote RADIUS AAA Server
Performing MTU Tuning for L2TP VPDNs
Manually Configuring the IP MTU for VPDN Deployments
Enabling Automatic Adjustment of the IP MTU for VPDN Deployments
Enabling Path MTU Discovery for VPDNs
Manually Configuring the Advertised TCP MSS
Configuring QoS Packet Classifications for VPDNs
Configuring Preservation of QoS Classifications in the ToS Byte
Manually Configuring the IP Precedence for VPDNs
Manually Configuring the ToS for VPDN Sessions
Configuration Examples for Additional VPDN Features
Configuring a Basic Dial-Out VPDN: Examples
Configuring L2TP Dial-Out Load Balancing: Example
Configuring L2TP Dial-Out Failover Redundancy: Example
L2TP Dial-Out Failover Redundancy with Tunnel Timers: Example
Configuring IPSec Protection of a NAS-Initiated L2TP Tunnel: Example
Configuring IPSec Protection of a Client-Initiated L2TP Tunnel: Example
Configuring a Global VPDN Template: Example
Configuring a Named VPDN Template: Example
Disassociating a VPDN Group from the VPDN Template: Example
Configuring a Global VPDN Source IP Address: Example
Configuring a Source IP Address for a VPDN Group: Example
Configuring VRF-Aware VPDN Tunnels Locally: Example
Configuring VRF-Aware VPDN Tunnels on the Remote RADIUS AAA Server: Examples
Manually Configuring the IP MTU for VPDN Deployments: Example
Enabling Automatic Adjustment of the IP MTU for VPDN Deployments: Example
Enabling Path MTU Discovery for VPDNs: Example
Manually Configuring the Advertised TCP MSS: Example
Configuring MRU Advertising: Example
Configuring Preservation of QoS Classifications in the ToS Byte: Example
Manually Configuring the IP Precedence for VPDNs: Example
Manually Configuring the ToS for VPDN Sessions: Example
Feature Information for Additional VPDN Features
Configuring Additional VPDN Features
This module documents concepts and tasks associated with configuring the following additional virtual private dialup network (VPDN) features:
•
The following optional feature can be configured in isolation, or in combination with a dial-in VPDN deployment:
–
•
–
–
–
–
–
–
All of the tasks documented in this module require that tasks documented elsewhere in the Cisco IOS VPDN Configuration Guide have first been completed.
Module History
This module was first published on October 31, 2005, and last updated on May 10, 2006.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all features. To find information about feature support and configuration, use the "Feature Information for Additional VPDN Features" section.
Contents
•
•
•
•
Information About Configuring Additional VPDN Features
This section contains information about the following additional VPDN features:
•
•
L2TP Dial-Out VPDNs
Dial-out VPDN configurations allow the tunnel server to tunnel outbound calls to the network access server (NAS). The NAS must establish a connection with the remote destination using a medium that supports PPP. Dial-out VPDNs allow a centralized network to efficiently and inexpensively establish virtual point-to-point connections with any number of remote offices.
Dial-out VPDNs are supported with only Layer 2 Tunnel Protocol (L2TP). Cisco routers can carry both dial-in and dial-out calls in the same L2TP tunnel.
Figure 23 shows a basic L2TP dial-out scenario.
Figure 23
Dial-Out VPDN Scenario
In an L2TP dial-out deployment, the tunnel server receives PPP packets from it's local network to send to a remote network or device. The tunnel server initiates establishment of an L2TP tunnel with the NAS, and the NAS terminates the tunnel. The NAS must then establish a connection to the client.
L2TP Security for the Protection of VPDN Tunnels
L2TP security provides enhanced security for tunneled PPP frames by allowing the robust security features of IP Security (IPSec) to protect the L2TP VPDN tunnel and the PPP sessions within the tunnel. Without L2TP security, only a one-time, optional mutual authentication is performed during tunnel setup, with no authentication of subsequent data packets or control messages.
The deployment of Microsoft Windows 2000 demands the integration of IPSec with L2TP because this is the default VPDN networking scenario. This integration of protocols is also used for LAN-to-LAN VPDN connections in Microsoft Windows 2000. L2TP security provides integration of IPSec with L2TP in a solution that is scalable to large networks with minimal configuration.
The enhanced protection provided by L2TP security increases the integrity and confidentiality of tunneled PPP sessions within a standardized, well-deployed Layer 2 tunneling solution. The security features of IPSec and Internet Key Exchange (IKE) include confidentiality, integrity checking, replay protection, authentication, and key management. Traditional routing protocols such as Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Interior Gateway Routing Protocol (IGRP) will run transparently because a real PPP interface is associated with the secure tunnel. Additional benefits include built in keepalives and standardized interfaces for user authentication and accounting to authentication, authorization, and accounting (AAA) servers, interface statistics, standardized MIBs, and multiprotocol support.
VPDN Template
Beginning in Cisco IOS Release 12.2(8)T, a VPDN template can be configured with global default values that will supersede the system default values. These global default values are applied to all VPDN groups, unless specific values are configured for individual VPDN groups.
Beginning in Cisco IOS Release 12.2(13)T and Cisco IOS Release 12.2(28)SB, multiple named VPDN templates can be configured in addition to a single global (unnamed) VPDN template. A VPDN group can be associated with only one VPDN template.
Values configured in the global VPDN template are applied to all VPDN groups by default. A VPDN group can be disassociated from the global VPDN template, or associated with a named VPDN template. Associating a VPDN group with a named VPDN template automatically disassociates it from the global VPDN template.
The default hierarchy for the application of VPDN parameters to a VPDN group is as follows:
•
•
•
Individual VPDN groups can be disassociated from the associated VPDN template if desired, allowing the system default settings to be used for any parameters not configured in that individual VPDN group.
VPDN Source IP Address
A tunnel endpoint can be configured with a source IP address that is different from the IP address used to open the VPDN tunnel. When a source IP address is configured on a tunnel endpoint, the router will generate VPDN packets labeled with the configured source IP address. A source IP address may need to be configured if the tunnel endpoints are managed by different companies and addressing requirements necessitate that a particular IP address be used.
The source IP address can be configured globally, or for an individual VPDN group. The VPDN group configuration will take precedence over the global configuration.
VRF-Aware VPDN Tunnels
Prior to Cisco IOS Release 12.2(15)T or Cisco IOS Release 12.2(28)SB, you had to specify IP addresses from the global routing table for the endpoints of a VPDN tunnel. VRF-aware VPDN tunnels provide support for VPDN tunnels that terminate on a virtual private network (VPN) routing and forwarding instance (VRF) by allowing you to use IP addresses from a VRF routing table.
VRF-aware VPDN tunnels enhance the support of VPDN tunnels by allowing VPDN tunnels to start outside a Multiprotocol Label Switching (MPLS) VPN and terminate within the MPLS VPN. For example, this feature allows you to use a VRF address from a customer VRF as the destination address.
You can use VRF-aware VPDN tunnels with multihop, dial-in, and dial-out VPDN tunneling scenarios. In a multihop scenario, this feature is sometimes referred to as VRF-aware VPDN multihop.
MTU Tuning for L2TP VPDN Tunnels
Fragmentation and reassembly of packets is done at the process level in Cisco IOS software. When a tunnel server is aggregating large numbers of sessions and traffic flows, process switching can dramatically reduce performance. For this reason, it is highly desirable to reduce or eliminate the need for packet fragmentation and reassembly in a VPDN deployment, and instead move the burden of any required packet reassembly to the client devices.
Packets are fragmented when they attempt to pass through an egress interface with a maximum transmission unit (MTU) that is smaller than the size of the packet. By default, the MTU of most interface is 1500 bytes. Because of this default MTU size, TCP segments are created with a default payload of 1460 bytes, allowing room for the 40 byte TCP/IP header. Because L2TP encapsulation adds 40 bytes of header information, tunneled packets will exceed the MTU of an interface if MTU tuning is not performed.
In order to reach its final destination, a packet may traverse multiple egress interfaces. The path MTU is defined as the smallest MTU of all of the interfaces that the packet must pass through.
A number of different methods are available to perform MTU tuning. Their end goal is to prevent fragmentation of packets after they have been encapsulated for tunneling. These methods take advantage of distinct mechanisms to accomplish this, as described in the following sections:
•
•
•
•
MTU Tuning Using IP MTU Adjustments
The IP MTU configuration controls the maximum size of a packet allowed to be encapsulated by a Layer 2 protocol. The IP MTU of an interface can be manually lowered to compensate for the size of the L2TP header if the path MTU is known.
A router can also be configured to automatically adjust the IP MTU of an interface to compensate for the size of the L2TP header. The automatic adjustment corrects for the size of the L2TP header based on the MTU of the egress interface of that device. This configuration is effective only in preventing fragmentation when the MTU of that interface is the same as the path MTU.
MTU Tuning Using Path MTU Discovery
If the path MTU between the NAS and the tunnel server is unknown, or if it changes, path MTU discovery (PMTUD) can be used to perform MTU tuning. PMTUD, introduced in Cisco IOS Release 12.2(4)T, uses the Don't Fragment (DF) bit in the IP header to dynamically discover the smallest MTU among all the interfaces along a routing path.
The source host initially assumes that the path MTU is the known MTU of the first egress interface, and sends all packets on that path with the DF bit in the IP header set. If any of the packets are too large to be forwarded without fragmentation by the interface of a device along the path, that device will discard the packet and return an Internet Control Message Protocol (ICMP) Destination Unreachable message to the source host. The ICMP Destination Unreachable message includes code 4, which means "fragmentation needed and DF set," and indicates the IP MTU of the interface that was unable to forward the packet without fragmentation. This information allows the source host to reduce the size of the packet before retransmission to allow it to fit through that interface.
Enabling PMTUD makes VPDN deployments vulnerable to Denial of Service (DoS) attacks that use crafted ICMP messages to set a connection's path MTU to an impractically low value. This will cause higher layer protocols to time out because of a very low throughput, even though the connection is still in the established state. This type of attack is classified as a throughput-reduction attack. For more information on throughput-reduction attacks against L2TP VPDN deployments, see the Security Advisory Crafted ICMP Messages Can Cause Denial of Service.
To protect against a throughput-reduction attack, a range of acceptable values for the path MTU can be specified. If the device receives an ICMP code 4 message that advertises a next-hop path MTU that falls outside the configured size range, the device will ignore the message.
PMTUD can be unreliable, and may fail when performed over the Internet because some routers or firewalls are configured to filter out all ICMP messages. When the source host does not receive an ICMP destination unreachable message from a device that is unable to forward a packet without fragmentation, it will not know to reduce the packet size. The source host will continue to retransmit the same large packet. Because the DF bit is set, these packets will be continually dropped because they exceed the path MTU, and the connection will stop responding.
MTU Tuning Using TCP MSS Advertising
Because PMTUD can be unreliable, an alternate method of performing MTU tuning was introduced in Cisco IOS 12.2(4)T. This method of MTU tuning takes advantage of TCP Maximum Segment Size (MSS) advertisements in the incoming and outgoing synchronize (SYN) packets sent by the end hosts.
The TCP MSS defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.
If you configure a lower TCP MSS than the usual default of 1460, the size of TCP segments will be reduced to compensate for the information added by the L2TP header.
MTU Tuning Using PPP MRU Advertising
Another option for reducing fragmentation in an L2TP VPDN network requires that Maximum Receive Unit (MRU) negotiation is supported by the PPP client. One known client which supports MRU negotiations is the Windows XP PPP client. Unfortunately, other commonly deployed PPP clients do not adhere to the advertised PPP MRU as they should. Refer to the PPP client documentation to determine if your PPP client properly responds to the advertised PPP MRU.
PPP MRU allows a peer to advertise its maximum receive unit, which is derived from the MTU configuration on the virtual template interface. A device will not process a PPP frame with a payload larger than its advertised MRU. The Cisco PPP implementation uses the MTU of the interface as the advertised MRU value during PPP negotiations.
The MTU of a virtual template interface can be manually lowered to compensate for the size of the L2TP header. If the PPP peer listens to the MRU advertised during PPP negotiation, it will adjust its MTU (and indirectly its IP MTU) for that PPP link. This in turn will modify the TCP MSS that the peer advertises when opening up TCP connections.
Because the default MTU for an interface is 1500 bytes, the default MRU is 1500 bytes. Setting the MTU of an interface to 1460 changes the advertised MRU to 1460. This configuration would tell the peer to allow room for a 40-byte L2TP header.
One issue with lowering the MTU on the virtual-template interface is that the IP MTU is automatically lowered as well. It is not possible to configure an IP MTU greater than the MTU on a virtual template interface. This can be an issue if there is a mixture of peer devices that do and do not adjust their MTU based on the advertised MRU. The clients that are unable to listen to MRU advertisements and adjust accordingly will continue to send full-sized packets to the peer. Packets that are larger than the lowered IP MTU, yet smaller than the normal default IP MTU, will be forced to fragment. For example, an L2TP packet that is 1490 bytes would normally be transmitted without fragmentation. If the MTU has been lowered to 1460 bytes, this packet will be unnecessarily fragmented. In this situation, it would be optimal to advertise a lower MRU to those clients that are capable of listening and adjusting, yet still allow full-sized packets for those clients that are unable to adjust.
Clients that ignore the advertised MRU may experience the PMTUD problems described in the "MTU Tuning Using IP MTU Adjustments" section. PMTUD can be turned off by clearing the DF bit on the inner IP packet.
QoS for VPDN Tunnels
Quality of service (QoS) packet classification features provide the capability to partition network traffic into multiple priority levels or classes of service. Packet classifications provide the information required to coordinate QoS from end to end within and between networks. Packet classifications are used by other QoS features to assign the appropriate traffic handling policies, including congestion management, bandwidth allocation, and delay bounds for each traffic class.
For further information on QoS and traffic handling policies, refer to the Cisco IOS Quality of Service Solutions Configuration Guide, Release 12.4.
Packets can be marked for end-to-end QoS using the type of service (ToS) byte in the IP header. The first three bits of the ToS byte are used for IP precedence settings. Four of the remaining five bits are used to set the ToS. The remaining bit of the ToS byte is unassigned.
In a VPDN deployment, IP packets may be classified by an external source such as the customer network or a downstream client. By default, a tunnel endpoint will set the ToS byte in the Layer 2 header to zero, specifying normal service. Depending on the VPDN deployment, you may choose to configure your VPDN network to do one of the following in regard to QoS classifications:
•
•
•
The following sections provide additional information on QoS options for VPDN deployments:
•
•
•
QoS Classification Preservation
When Layer 2 packets are created the ToS byte value is set to zero by default, indicating normal service. This setting ignores the values of the ToS byte of the encapsulated IP packets that are being tunneled. The tunnel server can be configured to copy the contents of the ToS field of the inner IP packets to the ToS byte of the Layer 2 header. Copying the ToS field from the IP header to the Layer 2 header preserves end-to-end QoS for tunneled packets.
IP Precedence for VPDN Tunnels
IP precedence settings mark the class of service (CoS) for a packet. The three precedence bits in the ToS field of the IP header can be used to define up to six classes of service. If you choose to manually configure a specific IP precedence value for Layer 2 packets, QoS will not be preserved end-to-end across the tunnel.
ToS Classification for VPDN Tunnels
The ToS bits mark the ToS classification for a packet. Each of the four bits controls a particular aspect of the ToS—reliability, throughput, delay, and cost. If you choose to manually configure a specific ToS value for Layer 2 packets, QoS will not be preserved end-to-end across the tunnel.
How to Configure Additional VPDN Features
This section contains the following configuration tasks, which may be configured in any order:
•
•
•
•
•
•
•
•
•
•
Configuring a Dial-Out L2TP VPDN
Configuring a dial-out VPDN enables a tunnel server to send outbound calls over a VPDN tunnel using L2TP as the tunneling protocol. Dial-out VPDN configuration allows a centralized network to efficiently and inexpensively establish a virtual point-to-point connection with any number of remote offices.
Cisco routers can carry both dial-in and dial-out calls in the same L2TP tunnels.
The following sections contain additional information about L2TP dial-out configurations:
•
•
•
•
The following tasks must be completed to configure a dial-out L2TP VPDN:
•
•
•
•
L2TP Dial-Out Connection Establishment
Figure 24 shows the steps involved in establishing a dial-out connection for a typical dial-out scenario.
Figure 24
L2TP Dial-Out Process
The following sequence of events occurs during session establishment, and is keyed to Figure 24:
1.
The dialer issues a dial call request to the VPDN group, and the tunnel server creates a virtual access interface. If the dialer is a dialer profile, this interface becomes a member of the dial pool. If the dialer is DDR, the interface becomes a member of the rotary group.
The VPDN group creates a VPDN session for this connection and sets it in the pending state.
2.
3.
If the resource is available, the NAS responds to the tunnel server with an Outgoing Call Reply (OCRP) packet. If the resource is not available, the NAS responds with a Call Disconnect Notification (CDN) packet, and the session is terminated.
4.
5.
6.
7.
If the dialer interface is a DDR and a virtual profile is configured, the PPP endpoint is the tunnel server virtual access interface, not the dialer. All Layer 3 routes point to this interface instead of to the dialer.
L2TP Dial-Out Load Balancing and Redundancy
In Cisco IOS software prior to Release 12.2(15)T or 12.2(28)SB, load balancing and redundancy for dial-out VPDNs could be configured only with L2TP large-scale dial-out (LSDO) using Stack Group Bidding Protocol (SGBP). This method of load balancing and redundancy requires that the primary NAS is up and running for dial-out to take place, because the IP address of only that NAS is configured on the tunnel server. When the primary NAS is down, no dial-out can take place. When the primary NAS is up, the NAS determines among itself and the secondary NASs which NAS has the least congestion, and then inform the tunnel server to use the selected NAS for dial-out. Because the tunnel server cannot contact any other NASs when the primary NAS is down, failover is not supported for dial-out calls by this mechanism. For more information about configuring LSDO, refer to the chapter "Configuring Large-Scale Dial-Out" in the Cisco IOS Dial Technologies Configuration Guide, Release 12.4.
The ability to configure a tunnel server with the IP addresses of multiple NASs was introduced in Cisco IOS Release 12.2(15)T and Cisco IOS Release 12.2(28)SB. Load balancing, redundancy, and failover can all be controlled by assigning each NAS the desired priority settings on the tunnel server. Load balancing occurs between NASs with identical priority settings. When NASs are assigned different priority settings, if the NAS with the highest priority goes down the tunnel server will fail over to a lower priority NAS.
Prerequisites for Configuring a Dial-Out L2TP VPDN
Before performing these tasks, you should configure the required tasks in the "Configuring AAA for VPDNs" module.
Restrictions for Configuring a Dial-Out L2TP VPDN
•
•
•
•
Configuring the Tunnel Server to Request Dial-Out
The tunnel server must be configured to request the establishment of a VPDN tunnel with the NAS when it is directed to tunnel outbound PPP data. The VPDN group is linked to the dialer profile by the dialer pool number.
Perform this task to configure the tunnel server to request the establishment of a dial-out VPDN tunnel and to specify the dialer rotary group or dialer pool that may issue dial requests to the VPDN group.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
•
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode.
Step 3
Router(config)# vpdn-group 1
Creates a VPDN group and enters VPDN group configuration mode.
Step 4
Router(config-vpdn)# description myvpdngroup
(Optional) Adds a description to a VPDN group.
Step 5
request-dialout
Example:Router(config-vpdn)# request-dialout
Creates a request dial-out VPDN subgroup that configures a tunnel server to request the establishment of dial-out L2TP tunnels to a NAS and enters request dial-out VPDN subgroup configuration mode.
Step 6
protocol l2tp
Example:Router(config-vpdn-req-ou)# protocol l2tp
Specifies L2TP as the Layer 2 protocol that the VPDN group will use.
Step 7
pool-member pool-number
Example:Router(config-vpdn-req-ou)# pool-member 1
Assigns a request-dialout VPDN group to a dialer pool.
Step 8
exit
Example:Router(config-vpdn-req-ou)# exit
Exits request dial-out VPDN subgroup configuration mode.
Step 9
initiate-to ip ip-address [limit limit-number] [priority priority-number]
Example:Router(config-vpdn)# initiate-to ip 10.0.58.201 limit 5 priority 1
Specifies the IP address that will be used for Layer 2 tunneling.
•
–
–
Note
What to Do Next
•
•
Configuring the Dialer on the Tunnel Server
A request to tunnel outbound data from the tunnel server must be associated with a dialer profile.
Perform this task to configure the dialer profile on the tunnel server. A dialer profile must be configured for each dial-out destination.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
What to Do Next
You must perform the task in the "Configuring the NAS to Accept Dial-Out" section.
Configuring the NAS to Accept Dial-Out
The NAS must be configured to accept outbound tunnels from the tunnel server, and to initiate PPP calls to the destination client. Outbound calls will be placed using the dialer interface specified in the VPDN group configuration.
Perform this task to configure the NAS to accept tunneled dial-out connections from the tunnel server. If multiple NASs are configured on the tunnel server, perform this task on each NAS.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
What to Do Next
You must perform the task in the "Configuring the Dialer on the NAS" section.
Configuring the Dialer on the NAS
When the NAS receives outbound data from the tunnel server, it must initiate a PPP call to the destination client. The dialer used to initiate calls is specified in the VPDN group configuration, and must match the dialer rotary group number.
Perform this task to configure the dialer on the NAS for dial-out VPDN.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
What to Do Next
You may perform any of the relevant optional tasks in this module or the "VPDN Tunnel Management" module.
Configuring L2TP Security for VPDN Tunnels
L2TP security provides enhanced security for tunneled PPP frames between the NAS and the tunnel server, increasing the integrity and confidentiality of tunneled PPP sessions within a standardized, well-deployed Layer 2 tunneling solution. The security features of IPSec and IKE include confidentiality, integrity checking, replay protection, authentication, and key management. Additional benefits include built-in keepalives and standardized interfaces for user authentication and accounting to AAA servers, interface statistics, standardized MIBs, and multiprotocol support.
L2TP security can be configured for both NAS-initiated L2TP tunneling scenarios and client-initiated L2TP tunneling scenarios.
The following sections contain additional information about L2TP security:
•
•
•
To configure L2TP security for VPDN tunnels, perform the following tasks:
•
•
L2TP Security with NAS-Initiated VPDN Tunnels
L2TP security can be configured to protect VPDN tunnels between the NAS and the tunnel server in NAS-initiated VPDN deployments. A NAS-initiated tunneling scenario with L2TP security protection is depicted in Figure 25.
Figure 25 L2TP Security for a NAS-Initiated Tunneling
Scenario
The client connects to the NAS through a medium that supports PPP, such as a dialup modem, digital subscriber line (DSL), ISDN, or a cable modem. If the connection from the client to the NAS is considered secure—such as a modem, ISDN, or a DSL connection—the client may choose not to provide additional security. The PPP session is securely tunneled from the NAS to the tunnel server without any required knowledge or interaction by the client. L2TP security protects the L2TP tunnel between the NAS and the tunnel server with IPSec.
L2TP Security with Client-Initiated VPDN Tunnels
L2TP security can be configured to protect VPDN tunnels between the client and the tunnel server in client-initiated VPDN deployments. A client-initiated tunneling scenario with L2TP security protection is depicted in Figure 26.
Figure 26 L2TP Security for a Client-Initiated
Tunneling Scenario
The client initiates an L2TP tunnel to the tunnel server without the intermediate NAS participating in tunnel negotiation or establishment. The client must manage the software that initiates the tunnel. Microsoft Windows 2000 supports this VPDN scenario. In this scenario, extended services processor (ESP) with authentication must always be used. L2TP security protects the L2TP tunnel between the client and the tunnel server with IPSec.
Prerequisites for L2TP Security
•
•
•
NAS-Initiated Tunnels
•
Client-Initiated Tunnels
•
•
•
Configuring IPSec Protection of an L2TP Tunnel
Perform this task to configure IPSec protection of an L2TP tunnel:
•
•
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
What to Do Next
You must perform the task in the "Creating the Security Profile" section.
Creating the Security Profile
A security profile must be configured to provide IPSec protection of L2TP tunnels. Perform this task to create the security profile:
•
•
Prerequisites
To create an IKE policy and a crypto profile configuration associated with the VPDN group, you must first configure phase 1 Internet Security Association and Key Management Protocol (ISAKMP) policy and an IPSec transform set. For information on configuring phase 1 ISAKMP policies and IPSec transform sets, refer to the Cisco IOS Security Configuration Guide, Release 12.4.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
