cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1206
Views
0
Helpful
24
Replies
Beginner

Cisco 800 series; L2TPv3 (tunnelling and extending L2) over an IPsec L3 VPN

As title states.... does anyone have any configuration examples to run L2TPv3 to tunnel and extend L2 over an IPsec L3 site-to-site tunnel ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Contributor

Hi Michael,

Hi Michael,

I've written a blog post on this:

https://supportforums.cisco.com/blog/13213791/extending-lans-geographically-easy-cheap-and-secure-way

Michael

Michael Please rate all helpful posts
Contributor

Sorry, I double-checked it

Sorry, I double-checked it right now with SVI and it works. 

It works since IOS 12.4.20(T), definately with 829! 

But beware that VLAN1 (SVI) is not allowed to have an IP address:

R1(config)#int vl1
R1(config-if)#ip add 10.0.0.1 255.255.255.0
Incompatible with xconnect command on Vl1 - command rejected.

Michael Please rate all helpful posts
24 REPLIES 24
Highlighted
Contributor

Hi Michael,

Hi Michael,

I've written a blog post on this:

https://supportforums.cisco.com/blog/13213791/extending-lans-geographically-easy-cheap-and-secure-way

Michael

Michael Please rate all helpful posts
Beginner

Ok.. that's great @Michael

Ok.. that's great ciscomax  

Here's another twist on this requirement I have to throw a spanner in the works.

See topology below....

I actually need a workstation running RA (client-to-site) VPN (i.e. AnyConnect) to a head-end (ASA ?) in the 'DC' to have this L2 extension... down to a 'Location #' site.

I.e. in the example above.  Location C.

So, workstation RA's to DC, and the workstation's MAC address/L2 to be maintained and not lost in the first RA VPN leg, and then to continue down the IPsec site-to-site between DC and Location C.

I think the latter VPN leg (is the L2TPv3 over IPsec).. but what about maintaining the MAC of the workstation/L2 extending the first VPN leg ?

Penny for your thoughts/advice.....

Contributor

Hm, I'd say this only works

Hm, I'd say this only works when Location C is the VPN headend for the remote user. 

But for a setup like your topology I'd definately go for different subnets and clear routing, e.g. with DMVPN.

Michael Please rate all helpful posts
Beginner

Double hmm.. :)

Double hmm.. :)

a. Which can't happen as Location C is Cisco 800 series and can't terminate RA

b. I HAVE TO get an L2 extension.. because the devices down in  Location C are from process control/industrial sector land and have a weird way of being re-provisioned post a factory reset or hardware replacement.. They need to see a MAC that the workstation will fire (would be nice if they went back to a default IP address and I can reach it over a broadcast domain boundary.. but unfortunately.. not the case)..

Hence my aggression in trying to get an L2 extension from the workstation.

Follow ?

Contributor

Ok, and what is the traffic

Ok, and what is the traffic direction? FROM client TO device in C? Then you could do a NAT on the internal IF on C, so it's the same network?

Michael Please rate all helpful posts
Beginner

Hang on.. You've lost me.

Hang on.. You've lost me.

Isn't the tricky part of L2 transparency in the first part.. the RA leg from Workstation to head-end/DC concentrator.

Post that.. I can extend L2 from DC to Location C with L2TPv3 over IPsec.. right ?

Contributor

No I haven't, I'm trying to

No I haven't, I'm trying to find another solution since it's quite complex what you're trying to achieve :) 

I'd try to avoid L2 extension if there are more the 2 locations.

But OK, when DC is a IOS router (not ASA), you could run a pseudowire to extend the LAN, also you *could* place the RA IP pool in the local LAN, but I'm not sure if this works, haven't tested it yet. 

My lab here is quite small :) 

Michael Please rate all helpful posts
Beginner

Yeh but RA tunnel will lose

Yeh but RA tunnel will lose MAC right ?

The L2 extension is only during occurrences of maintenance windows.. not permanently run..

I think.. It's best to just use a jumpbox in DC.. forget the workstation needing to RA to DC.  And that jumpbox in DC can have it's MAC/L2 extended just fine, with the LT2Pv3 over IPSEC the way you described in your blog post.. agreed ?

IOS router in DC and IOS routers in all the Location's.  When maintenance is required.. L2TPv3 is built.. do the maintenance.. then drop the tunnel.

IPSEC needs to be permanent however..

Nothing wrong with that true ?

Cannot get away from L2 extension.. requirement of the hardware... remember ?

Contributor

If you have a local pool, the

If you have a local pool, the interface mac of the DC router will be the mac for the RA session. But with this setup the DC router is not allowed to have a IP address, perhaps you need a second router acting as a gateway. 

Like you described with jumpbox should work fine!

Michael Please rate all helpful posts
Beginner

Yep, and the DC router is not

Yep, and the DC router is not running the software that the workstation is.. so having that MAC presented won't do anything..

Unless the router proxy-arp's on behalf of the workstation .. over the RA tunnel.. to the workstation ?

a. I don't know if that will work

b. I can't terminate RA VPN on IOS... right ?

Jump box it is .. one last confirmation from you would be handy :)

Then I'll park this thread.. :)

Contributor

I also don't know if this

I also don't know if this works (L2TPv3 endpoint also terminating RA VPNs).

But surely, every IOS router can terminate RA VPNs (Cisco VPN, IKEv2, AnyConnect and even PPTP)

Michael Please rate all helpful posts
Beginner

But surely, every IOS router

But surely, every IOS router can terminate RA VPNs (Cisco VPN, IKEv2, AnyConnect and even PPTP)

Whoops. My mistake.

http://www.cisco.com/c/en/us/products/collateral/routers/829-industrial-router/datasheet-c78-734981.html

Aka, the screenshot I've shown/text I've highlighted above correlates to what you mean ?

Means I need to just need to buy AnyConnect Plus licenses right ?

Ok, so I can RA concentrate/terminate on IOS with SSL VPN, AnyConnect by the looks of it.. But we're not sure whether L2TPv3 can be a VPN protocol on the 800 series for RA is what we're saying ?

Contributor

AnyConnect is fine, yes. With

AnyConnect is fine, yes. With v3 of AnyConnect you even don't need a license for the beginning, but I really unsure to terminate RA VPNs *AND* L2TPv3 on the same machine!

Michael Please rate all helpful posts
Beginner

'Machine' being the IOS 800

'Machine' being the IOS 800 series ? or you mean Microsoft Windows Workstation ?