top of page
Search

VPN - Layer 2 Tunnel Protocol v3 (L2TPv3)

  • Writer: dale warner
    dale warner
  • Aug 22, 2024
  • 2 min read

Updated: Sep 30, 2024

This is a configuration example of a layer 2 VPN between two Cisco routers. The aim is allow communication between two devices as though they are connected on the same L2 subnet. For this lab, i have two switches (SW1 and SW2) that should have an EIGRP neighbourship between them. In the exam this could be something different, i.e. two routers, two PCs, a router and switch, etc. You need to be adept at noticing when the stituation requires L2TP VPNs.


I am also only showing you a working configuration. How my IKEv2 is authenticated what i use for identification, the proposals and profiles are all very basic. The idea is you play with this setup, break it, and try to make it your own.


The video at the bottom of the page shows me setting this up in the lab, where i also show you where to find the configuration on Cisco.com


The diagram below shows the lab setup




There is a basic configuration already applied to the two routers (hostname, interfaces, IP addresses) which you should be able to replicate using the diagram.


R1

crypto ikev2 keyring KEYRING
 peer L2TP-PEER
  address 172.27.10.2
  pre-shared-key Cisco1234
!
crypto ikev2 profile IKEV2-PROF
 match identity remote fqdn domain lab.local
 identity local fqdn R1.lab.local
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
crypto ipsec profile IPSEC-PROF
 set ikev2-profile IKEV2-PROF
!
interface tunnel 1
 ip address 172.16.0.1 255.255.2550
 tunnel source gig3
 tunnel destination 172.27.10.2
 tunnel protection ipsec profile IPSEC-PROF
!
pseudowite-class L2TP-CLASS
 encapsulation l2tpv3
 ip local interface tunnel 1
!
interface gig2
 no ip address
 no shut
 xconnect 172.16.0.2 1001 encapsulation l2tpv3 pw-class L2TP-CLASS

R2

crypto ikev2 keyring KEYRING
 peer L2TP-PEER
  address 172.27.10.1
  pre-shared-key Cisco1234
!
crypto ikev2 profile IKEV2-PROF
 match identity remote fqdn domain lab.local
 identity local fqdn R2.lab.local
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
crypto ipsec profile IPSEC-PROF
 set ikev2-profile IKEV2-PROF
!
interface tunnel 1
 ip address 172.16.0.2 255.255.2550
 tunnel source gig3
 tunnel destination 172.27.10.1
 tunnel protection ipsec profile IPSEC-PROF
!
pseudowite-class L2TP-CLASS
 encapsulation l2tpv3
 ip local interface tunnel 1
!
interface gig2
 no ip address
 no shut
 xconnect 172.16.0.1 1001 encapsulation l2tpv3 pw-class L2TP-CLASS




Recent Posts

See All
ASA - Clustering

Configuration examples for ASA Clustering Individual interfaces (L3) Clustering Master Unit cluster interface-most indiviual force ! ip...

 
 
ASA - Contexts

Configuration example of setting up ASA contexts mode multiple ! mac-address auto ! interface g0/1 no shut interface g0/2 no shut...

 
 
ASA - High Availability

Some configuration examples related to Cisco ASA HA (Active/Passive and Active/Active) Active/Passive Failover - Same Failover & State...

 
 
bottom of page