L2TPv3 Tunnel

Recently got the question: how can we solution a DR site for a medium business customer? Top of my head is Fabric Path or TRILL but not likely they are going to buy and upgrade their infrastructure. So we had to go cheap. I then start to manipulate L2TPv3 tunnel setup in GNS3.

topology

Since it is lab, why not go fancy: L2TPv3 “mesh” over IPsec!!!

I spent too much time on manipulating configuration already so just attached the configuration file below for your reference. If you think there is content from your publishing, then that is probably because I was reading yours during my troubleshoot…So please contact me if you prefer to have your name listed for credit 🙂

+++++++++++++++ISP++++++++++++++++++
hostname ISP
!
interface Loopback0
ip address 10.0.4.4 255.255.255.255
!
interface FastEthernet 0/0
ip address 4.1.1.4 255.255.255.0
speed 100
full-duplex
no shut
interface FastEthernet 0/1
ip address 4.2.2.4 255.255.255.0
speed 100
full-duplex
no shut
!
interface FastEthernet1/0
ip address 4.3.3.4 255.255.255.0
speed 100
full-duplex
no shut
!
router ospf 1
router-id 10.0.4.4
network 0.0.0.0 255.255.255.255 area 0
+++++++++++++++HQ++++++++++++++++++
hostname HQ
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
!
interface FastEthernet 0/0
ip address 4.1.1.1 255.255.255.0
speed 100
full-duplex
no shut
!
router ospf 1
router-id 10.0.1.1
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class HQ2R2
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet0/1
description HQ_LAN_R2Branch
no ip address
no shut
no cdp enable
xconnect 10.0.2.2 100 encap l2tpv3 manual pw-class HQ2R2
l2tp id 100 200
l2tp hello L2TPV3class
!
pseudowire-class HQ2R3
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet1/0
description HQ_LAN_R3Branch
no ip address
no shut
no cdp enable
xconnect 10.0.3.3 101 encap l2tpv3 manual pw-class HQ2R3
l2tp id 103 301
l2tp hello L2TPV3class
+++++++++++++++Branch2++++++++++++++++++
hostname Branch2
!
interface Loopback0
ip address 10.0.2.2 255.255.255.255
!
default inter fa0/0
interface FastEthernet 0/0
speed 100
full-duplex
ip address 4.2.2.2 255.255.255.0
no shut
!
router ospf 1
router-id 10.0.2.2
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class R22HQ
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface FastEthernet1/0
description R2Branch_LAN_HQ
no ip address
no shut
no cdp enable
xconnect 10.0.1.1 200 encap l2tpv3 manual pw-class R22HQ
l2tp id 200 100
l2tp hello L2TPV3class
!
+++++++++++++++Branch3++++++++++++++++++
hostname Branch3
!
interface Loopback0
ip address 10.0.3.3 255.255.255.255
!
interface FastEthernet 0/0
speed 100
full-duplex
ip address 4.3.3.3 255.255.255.0
no shut
!
router ospf 1
router-id 10.0.3.3
network 0.0.0.0 255.255.255.255 area 0
!
l2tp-class L2TPV3class
authentication
password L2TPV3
!
pseudowire-class R32HQ
encapsulation l2tpv3
protocol none
ip local interface Loopback0
default inter fa1/0
interface FastEthernet1/0
description R3Branch_LAN_HQ
no ip address
no shut
no cdp enable
xconnect 10.0.1.1 301 encap l2tpv3 manual pw-class R32HQ
l2tp id 301 103
l2tp hello L2TPV3class
!
++++++++++++HQ IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set HQ-TRANSFORM esp-3des esp-sha-hmac
!
crypto map HQ2Others 100 ipsec-isakmp
set peer 4.3.3.3
set transform-set HQ-TRANSFORM
match address 110
crypto map HQ2Others 200 ipsec-isakmp
set peer 4.2.2.2
set transform-set HQ-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.4.4.1 host 4.2.2.2
access-list 110 permit ip host 4.4.4.1 host 4.3.3.3
!
interface FastEthernet0/0
crypto map HQ2Others
!
++++++++++++Branch2 IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set R2-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R22HQ 100 ipsec-isakmp
set peer 4.1.1.1
set transform-set R2-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.2.2.2 host 4.1.1.1
!
interface FastEthernet0/0
crypto map R22HQ
!
++++++++++++Branch3 IPSec Configure+++++++++++++++
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key 1tunnel2connect address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set R3-TRANSFORM esp-3des esp-sha-hmac
!
crypto map R32HQ 100 ipsec-isakmp
set peer 4.1.1.1
set transform-set R3-TRANSFORM
match address 100
!
access-list 100 permit ip host 4.3.3.3 host 4.1.1.1
!
interface FastEthernet0/0
crypto map R32HQ

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s