目次

L2TPで、 拠点間を同じネットワークのL2接続



L2TPとは

L2TP(Layer 2 Tunneling Protocol)はL2トンネリングプロトコル
暗号化機能がないので、L3のトンネリングプロトコルのIPsecと併用したりします。

L2TPを用いて拠点間VPNを構築してあげると、複数拠点のネットワークを同一セグメントのネットワークにできる

pseudo wire(すーどわいやー)

Ciscoで、L2TP設定(IPSecなし)

やりたいことのイメージ

R1
hostname RT1
!
pseudowire-class L2TPv3
 encapsulation l2tpv3
 ip local interface Loopback0
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.0.0.2 255.255.255.252
!
interface GigabitEthernet0/1
 no ip address
 xconnect 2.2.2.2 1 encapsulation l2tpv3 pw-class L2TPv3
!
router eigrp 1
 network 1.1.1.1 0.0.0.0
 network 10.0.0.0 0.0.0.3
R2
hostname R2
!
pseudowire-class L2TPv3
 encapsulation l2tpv3
 ip local interface Loopback0
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 20.0.0.2 255.255.255.252
!
interface GigabitEthernet0/1
 no ip address
 xconnect 1.1.1.1 1 encapsulation l2tpv3 pw-class L2TPv3
!
router eigrp 1
 network 2.2.2.2 0.0.0.0
 network 20.0.0.0 0.0.0.3
Internet
hostname Internet
!
interface GigabitEthernet0/1
 ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet0/2
 ip address 20.0.0.1 255.255.255.252
!
router eigrp 1
 network 10.0.0.0 0.0.0.3
 network 20.0.0.0 0.0.0.3
確認
show xconnect all
show l2tp session


Ciscoで、L2TP Over IPSec

L2TPv3 over IPSecVPN を用いた LAN-to-LAN 接続設定例
https://www.cisco.com/c/ja_jp/support/docs/security-vpn/ipsec-negotiation-ike-protocols/l2tpv3-overipsec.html

1812J-A
hostname 1812J-A
!
ip cef
!
pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface Loopback0
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 64.104.2.1
crypto isakmp keepalive 30 periodic!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto map L2TPv3-IPSEC_to_campus 1 ipsec-isakmp
set peer 64.104.2.1
set transform-set IPSEC
match address 100
!
interface Loopback0
ip address 64.2.2.14 255.255.255.0
!
interface FastEthernet0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
no cdp enable
xconnect 64.104.2.1 1 pw-class L2TPv3
!
interface Dialer1
ip unnumbered Loopback0
ip mtu 1454
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname Flet's@cisco.com
ppp chap password 0 cisco
crypto map L2TPv3-IPSEC_to_campus
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit any
access-list 100 permit 115 host 64.2.2.14 host 64.104.2.1
dialer-list 1 protocol ip permit
!
end
1812J-B
hostname 1812J-B
!
ip cef
!
pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface Loopback0
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 64.2.2.14
crypto isakmp keepalive 30 periodic!
crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac
!
crypto map L2TPv3-IPSEC_to_branch 10 ipsec-isakmp
set peer 64.2.2.14
set transform-set IPSEC
match address 100
!
interface Loopback0
ip address 64.104.2.1 255.255.255.0
!
interface FastEthernet0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet1
no ip address
duplex auto
speed auto
no cdp enable
xconnect 64.2.2.14 1 pw-class L2TPv3
!
interface Dialer1
ip unnumbered Loopback0
ip mtu 1454
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname Flet's@cisco.com
ppp chap password 0 cisco
crypto map L2TPv3-IPSEC_to_branch
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit any
access-list 100 permit 115 host 64.104.2.1 host 64.2.2.14
dialer-list 1 protocol ip permit
!
end


参考