Showing results for 
Search instead for 
Did you mean: 

Extending LANs geographically - the easy, cheap and secure way


In this blog post I'll guide you trough the commands to extend a local LAN via any L3 internet uplink and secure it with IPSEC! 

All you need is L2TPv3 (aka pseudowire) which doesn't require any license upgrade with a 89X router (this is the cheap part)! Be aware that if you want to use a 29XX or similar you need a DATA license!! 

In this setup I'm using two ISR 892 since you need routed ports. Haven't tested it with VLAN SVI yet.

EDIT: I've tested it with SVI and it works! Here it's listed that it works since 12.4.20(T)

Let's assure you have Office-A with a LAN and Office-B with LAN To interconnect them both over a DSL link or similar you need L2TPv3. Let's say WAN IP from Office-A is and from Office.B it's

Here's your config for Office-A

l2tp-class l2class
password l2
pseudowire-class LAN2LAN
encapsulation l2tpv3
protocol l2tpv3 l2class
ip local interface GigabitEthernet0
interface FastEthernet8
description LAN
no ip address
duplex auto
speed auto
xconnect 1 encapsulation l2tpv3 pw-class LAN2LAN
interface GigabitEthernet0
ip address

Be aware that FA8 (your LAN) is not allowed to have an IP address, it's the interface to your switch! 

Now check the status with 

R1#show xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware
XC ST Segment 1 S1 Segment 2 S2
UP pri ac Fa8:3(Ethernet) UP l2tp UP

You have a running setup, fine! But now your LAN traffic is travelling packed within L2TPv3 but in plaintext over the wire. Now we have to encrypt the tunnel via IPSEC (transport mode).

Here we go:

 crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 14
lifetime 28800

crypto isakmp key test address

crypto ipsec security-association lifetime seconds 3600

crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
mode transport

crypto map VPN 10 ipsec-isakmp
set peer
set transform-set aes-sha
set pfs group14
match address 100

access-list 100 permit ip host host
interface GigabitEthernet0
ip address
duplex auto
speed auto
crypto map VPN

For the Office-B router just flip the IPs! :) 

Now you have your traffic encrypted between and which is the L2TP pseudowire. 

Double check IPSEC with 

R1#show crypto isakmp sa
dst src state conn-id status QM_IDLE 2001 ACTIVE QM_IDLE 2002 ACTIVE

R1#show crypto ipsec sa

interface: GigabitEthernet0
Crypto map tag: VPN, local addr

protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 735, #pkts encrypt: 735, #pkts digest: 735
#pkts decaps: 198, #pkts decrypt: 198, #pkts verify: 198
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.:, remote crypto endpt.:
plaintext mtu 1458, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x900B4A7(151041191)
PFS (Y/N): Y, DH group: group14

That's it! 

Please don't use this setup in large deployments and/or on slow links! It just a PoC to show you how to extend your LAN the "dirty" but quick way.