L2TP(Layer 2 Tunneling Protocol)はL2トンネリングプロトコル
暗号化機能がないので、L3のトンネリングプロトコルのIPsecと併用したりします。
L2TPを用いて拠点間VPNを構築してあげると、複数拠点のネットワークを同一セグメントのネットワークにできる
pseudo wire(すーどわいやー)
hostname RT1 ! pseudowire-class L2TPv3 encapsulation l2tpv3 ip local interface Loopback0 ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet0/0 ip address 10.0.0.2 255.255.255.252 ! interface GigabitEthernet0/1 no ip address xconnect 2.2.2.2 1 encapsulation l2tpv3 pw-class L2TPv3 ! router eigrp 1 network 1.1.1.1 0.0.0.0 network 10.0.0.0 0.0.0.3
hostname R2 ! pseudowire-class L2TPv3 encapsulation l2tpv3 ip local interface Loopback0 ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface GigabitEthernet0/0 ip address 20.0.0.2 255.255.255.252 ! interface GigabitEthernet0/1 no ip address xconnect 1.1.1.1 1 encapsulation l2tpv3 pw-class L2TPv3 ! router eigrp 1 network 2.2.2.2 0.0.0.0 network 20.0.0.0 0.0.0.3
hostname Internet ! interface GigabitEthernet0/1 ip address 10.0.0.1 255.255.255.252 ! interface GigabitEthernet0/2 ip address 20.0.0.1 255.255.255.252 ! router eigrp 1 network 10.0.0.0 0.0.0.3 network 20.0.0.0 0.0.0.3
show xconnect all show l2tp session
L2TPv3 over IPSecVPN を用いた LAN-to-LAN 接続設定例
https://www.cisco.com/c/ja_jp/support/docs/security-vpn/ipsec-negotiation-ike-protocols/l2tpv3-overipsec.html
hostname 1812J-A ! ip cef ! pseudowire-class L2TPv3 encapsulation l2tpv3 ip local interface Loopback0 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 64.104.2.1 crypto isakmp keepalive 30 periodic! crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac ! crypto map L2TPv3-IPSEC_to_campus 1 ipsec-isakmp set peer 64.104.2.1 set transform-set IPSEC match address 100 ! interface Loopback0 ip address 64.2.2.14 255.255.255.0 ! interface FastEthernet0 no ip address duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface FastEthernet1 no ip address duplex auto speed auto no cdp enable xconnect 64.104.2.1 1 pw-class L2TPv3 ! interface Dialer1 ip unnumbered Loopback0 ip mtu 1454 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname Flet's@cisco.com ppp chap password 0 cisco crypto map L2TPv3-IPSEC_to_campus ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit any access-list 100 permit 115 host 64.2.2.14 host 64.104.2.1 dialer-list 1 protocol ip permit ! end
hostname 1812J-B ! ip cef ! pseudowire-class L2TPv3 encapsulation l2tpv3 ip local interface Loopback0 ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key cisco address 64.2.2.14 crypto isakmp keepalive 30 periodic! crypto ipsec transform-set IPSEC esp-3des esp-md5-hmac ! crypto map L2TPv3-IPSEC_to_branch 10 ipsec-isakmp set peer 64.2.2.14 set transform-set IPSEC match address 100 ! interface Loopback0 ip address 64.104.2.1 255.255.255.0 ! interface FastEthernet0 no ip address duplex auto speed auto pppoe enable pppoe-client dial-pool-number 1 ! interface FastEthernet1 no ip address duplex auto speed auto no cdp enable xconnect 64.2.2.14 1 pw-class L2TPv3 ! interface Dialer1 ip unnumbered Loopback0 ip mtu 1454 encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname Flet's@cisco.com ppp chap password 0 cisco crypto map L2TPv3-IPSEC_to_branch ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit any access-list 100 permit 115 host 64.104.2.1 host 64.2.2.14 dialer-list 1 protocol ip permit ! end