In this blog post I'll guide you trough the commands to extend a local LAN via any L3 internet uplink and secure it with IPSEC! 

All you need is L2TPv3 (aka pseudowire) which doesn't require any license upgrade with a 89X router (this is the cheap part)! Be aware that if you want to use a 29XX or similar you need a DATA license!! 

In this setup I'm using two ISR 892 since you need routed ports. Haven't tested it with VLAN SVI yet.

EDIT: I've tested it with SVI and it works! Here it's listed that it works since 12.4.20(T)

Let's assure you have Office-A with a LAN 10.0.0.0/24 and Office-B with LAN 10.0.0.0/24. To interconnect them both over a DSL link or similar you need L2TPv3. Let's say WAN IP from Office-A is 10.10.10.1 and from Office.B it's 10.10.10.2.

Here's your config for Office-A

l2tp-class l2class
 authentication
 password l2

pseudowire-class LAN2LAN
 encapsulation l2tpv3
 protocol l2tpv3 l2class
 ip local interface GigabitEthernet0

interface FastEthernet8
 description LAN
 no ip address
 duplex auto
 speed auto
 xconnect 10.10.10.2 1 encapsulation l2tpv3 pw-class LAN2LAN
!
interface GigabitEthernet0
 ip address 10.10.10.1 255.255.255.0

Be aware that FA8 (your LAN) is not allowed to have an IP address, it's the interface to your switch! 

Now check the status with 

R1#show xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
 UP=Up DN=Down AD=Admin Down IA=Inactive
 SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware

XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri ac Fa8:3(Ethernet) UP l2tp 10.10.10.2:1 UP

You have a running setup, fine! But now your LAN traffic is travelling packed within L2TPv3 but in plaintext over the wire. Now we have to encrypt the tunnel via IPSEC (transport mode).

Here we go:

 crypto isakmp policy 1
 encr aes
 hash sha
 authentication pre-share
 group 14
 lifetime 28800
 
 crypto isakmp key test address 10.10.10.1
 
 crypto ipsec security-association lifetime seconds 3600
 
 crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
 mode transport
 
 
 crypto map VPN 10 ipsec-isakmp
 set peer 10.10.10.1
 set transform-set aes-sha
 set pfs group14
 match address 100
 
 access-list 100 permit ip host 10.10.10.2 host 10.10.10.1

interface GigabitEthernet0
 ip address 10.10.10.1 255.255.255.0
 duplex auto
 speed auto
 crypto map VPN

For the Office-B router just flip the IPs! :) 

Now you have your traffic encrypted between 10.10.10.1 and 10.10.10.2 which is the L2TP pseudowire. 

Double check IPSEC with 

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.10.10.2 10.10.10.1 QM_IDLE 2001 ACTIVE
10.10.10.1 10.10.10.2 QM_IDLE 2002 ACTIVE

R1#show crypto ipsec sa

interface: GigabitEthernet0
 Crypto map tag: VPN, local addr 10.10.10.1

 protected vrf: (none)
 local ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
 remote ident (addr/mask/prot/port): (10.10.10.2/255.255.255.255/0/0)
 current_peer 10.10.10.2 port 500
 PERMIT, flags={origin_is_acl,}
 #pkts encaps: 735, #pkts encrypt: 735, #pkts digest: 735
 #pkts decaps: 198, #pkts decrypt: 198, #pkts verify: 198
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 0, #pkts compr. failed: 0
 #pkts not decompressed: 0, #pkts decompress failed: 0
 #send errors 0, #recv errors 0

 local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
 plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
 current outbound spi: 0x900B4A7(151041191)
 PFS (Y/N): Y, DH group: group14

That's it! 

Please don't use this setup in large deployments and/or on slow links! It just a PoC to show you how to extend your LAN the "dirty" but quick way.

Michael