[c-nsp] ASR1k client VPN - L2TP over IPSec

Tom Lanyon tom+c-nsp at oneshoeco.com
Fri Sep 28 12:31:08 EDT 2012


Not strictly NSP related, but does anyone have an example of a working config for L2TP over IPSec on an ASR1K?  Specifically I'm trying to get this working for client-initiated VPN on workstations/laptops which are usually behind NAT.

Below is where I'm up to.  The IPSec phase 1 & 2 SAs appear to come up, but I don't see any L2TP/VPDN debug messages on the ASR1K from my Mac test machine.  Also if there's a simpler way to define the crypto config so that I don't need to apply a map to the loopback, tips would be appreciated!

Regards,
Tom


vpdn enable
vpdn-group l2tp-client-vpn
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
!
crypto isakmp policy 20
 encr aes 256
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp key test address 0.0.0.0        
!
crypto ipsec transform-set VPNSET-l2tp-users esp-aes 256 esp-sha-hmac 
 mode transport
!
crypto dynamic-map VPNMAP-dynamic-users 10
 set transform-set VPNSET-l2tp-users 
!
crypto map VPNMAP-l2tp-users 10 ipsec-isakmp dynamic VPNMAP-dynamic-users 
!
interface Loopback0
 ip address 192.0.2.1 255.255.255.255
 no ip redirects
 ipv6 address 2001:db8::1/128
 ipv6 enable
 no ipv6 redirects
 crypto map VPNMAP-l2tp-users
!
interface Virtual-Template1
 ip unnumbered Loopback0
 peer default ip address pool l2tp-client-vpn-pool
 ppp authentication ms-chap




More information about the cisco-nsp mailing list