[c-nsp] ASR1k client VPN - L2TP over IPSec
Tom Lanyon
tom+c-nsp at oneshoeco.com
Fri Sep 28 12:31:08 EDT 2012
Not strictly NSP related, but does anyone have an example of a working config for L2TP over IPSec on an ASR1K? Specifically I'm trying to get this working for client-initiated VPN on workstations/laptops which are usually behind NAT.
Below is where I'm up to. The IPSec phase 1 & 2 SAs appear to come up, but I don't see any L2TP/VPDN debug messages on the ASR1K from my Mac test machine. Also if there's a simpler way to define the crypto config so that I don't need to apply a map to the loopback, tips would be appreciated!
Regards,
Tom
vpdn enable
vpdn-group l2tp-client-vpn
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key test address 0.0.0.0
!
crypto ipsec transform-set VPNSET-l2tp-users esp-aes 256 esp-sha-hmac
mode transport
!
crypto dynamic-map VPNMAP-dynamic-users 10
set transform-set VPNSET-l2tp-users
!
crypto map VPNMAP-l2tp-users 10 ipsec-isakmp dynamic VPNMAP-dynamic-users
!
interface Loopback0
ip address 192.0.2.1 255.255.255.255
no ip redirects
ipv6 address 2001:db8::1/128
ipv6 enable
no ipv6 redirects
crypto map VPNMAP-l2tp-users
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool l2tp-client-vpn-pool
ppp authentication ms-chap
More information about the cisco-nsp
mailing list