Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1242
Views
2
Helpful
13
Replies

IPsec ikev2 with L2TP xconnect

JunaidM
Level 1
Level 1

ā€Ž07-13-2023 02:59 PM

Hi,
I am working on a topology vPC---Router_11---Router_12---vPC

I have configured IPSec IKEv2 with sVTI (GRE), working properly.

Behind the switch is a Layer 2 traffic as well which am passing through the same Router INTERFACE TUNNEL 1 using xconnect option of pseudo-wire funtion, my tunnel is up xconnect is also up for IPSec IKEv2 traffic is passing properly packets are coming/going but for Layer 2 traffic it is not passing though the router.

R11# sh run | s L2TP
pseudowire-class L2TP
encapsulation l2tpv3
ip local interface Tunnel1
!
int fa 1/0
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class L2TP

R11# show xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware

XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri ac Fa1/0:3(Ethernet) UP l2tp 172.16.1.2:1 UP
R11#

R12# sh run | s L2TP
pseudowire-class L2TP-VPN
encapsulation l2tpv3
ip local interface Tunnel1
!
int fa 1/0
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class L2TP-VPN

R12# show xconnect all
Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State
UP=Up DN=Down AD=Admin Down IA=Inactive
SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware

XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri ac Fa1/0:3(Ethernet) UP l2tp 172.16.1.1:1 UP
R12#

Any friend has idea where can be the issue?

0 Helpful
13 Replies 13

MHM Cisco World
VIP
VIP

ā€Ž07-13-2023 03:10 PM

pseudowire-class L2TP
Protocol l2tpv3

This need in each side 

0 Helpful

JunaidM
Level 1
Level 1

ā€Ž07-13-2023 03:14 PM

I have applied but same status I think this is command by default.

xconnect status is UP not traffic not passing, routers are not configured for any restrictions

0 Helpful

MHM Cisco World
VIP
VIP
In response to JunaidM

ā€Ž07-13-2023 03:26 PM

Share all confog of R1 and R2 please 

0 Helpful

JunaidM
Level 1
Level 1

ā€Ž07-13-2023 10:23 PM

R11#sh run
Building configuration...

Current configuration : 2030 bytes
!
! Last configuration change at 23:29:59 UTC Thu Jul 13 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R11
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
ip domain name cisco.com
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
pseudowire-class L2TP
encapsulation l2tpv3
ip local interface Tunnel1
!
!
!
crypto ikev2 proposal PROP
encryption aes-cbc-128 3des des
integrity sha256 sha1 md5
group 15 14 5 2
!
crypto ikev2 policy POL
proposal PROP
!
crypto ikev2 keyring CCIE
peer r12
address 2.2.2.2
identity address 2.2.2.2
pre-shared-key local cisco
pre-shared-key remote cisco
!
!
!
crypto ikev2 profile PF
match identity remote address 2.2.2.2 255.255.255.255
identity local address 3.3.3.3
authentication remote pre-share
authentication local pre-share
keyring local CCIE
!
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROF
set transform-set TS
set ikev2-profile PF
!
!
!
!
!
!
!
!
interface Loopback2
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile PROF
!
interface FastEthernet0/0
ip address 3.3.3.3 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
speed auto
duplex auto
no keepalive
xconnect 172.16.1.2 1 encapsulation l2tpv3 pw-class L2TP
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 3.3.3.1
ip route 192.168.2.0 255.255.255.0 172.16.1.2
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R11#

------------------------------

R12#sh run
Building configuration...

Current configuration : 2062 bytes
!
! Last configuration change at 23:22:03 UTC Thu Jul 13 2023
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R12
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
ip domain name cisco.com
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
pseudowire-class L2TP-VPN
encapsulation l2tpv3
ip local interface Tunnel1
!
!
!
crypto ikev2 proposal PROP
encryption aes-cbc-128 3des des
integrity sha256 sha1 md5
group 15 14 5 2
!
crypto ikev2 policy POL
proposal PROP
!
crypto ikev2 keyring CCIE
peer r11
address 3.3.3.3
identity address 3.3.3.3
pre-shared-key local cisco
pre-shared-key remote cisco
!
!
!
crypto ikev2 profile PROF
match identity remote address 3.3.3.3 255.255.255.255
identity local address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local CCIE
!
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROF
set transform-set TS
set ikev2-profile PROF
!
!
!
!
!
!
!
!
interface Loopback2
ip address 192.168.2.2 255.255.255.0
!
interface Tunnel1
ip address 172.16.1.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 3.3.3.3
tunnel protection ipsec profile PROF
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
duplex full
!
interface FastEthernet1/0
no ip address
speed auto
duplex auto
no keepalive
xconnect 172.16.1.1 1 encapsulation l2tpv3 pw-class L2TP-VPN
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 192.168.1.0 255.255.255.0 172.16.1.1
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

R12#

0 Helpful

MHM Cisco World
VIP
VIP
In response to JunaidM

ā€Ž07-14-2023 12:00 AM - edited ā€Ž07-14-2023 12:02 AM

I run lab and I success from first time, 
did you no shut the interface (under it xconnect you config )?
NOTE:- I use IKEv1

Screenshot (940).png

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

ā€Ž07-14-2023 12:18 AM - edited ā€Ž07-14-2023 12:20 AM

this with IKEv2 
also success no issue 
NOTE:-
crypto ikev2 keyring CCIE
peer r11
address 3.3.3.3
identity address 3.3.3.3 <<- delete this only for IKEv2
pre-shared-key local cisco
pre-shared-key remote cisco
Screenshot (942).png

Screenshot (941).png

0 Helpful

JunaidM
Level 1
Level 1

ā€Ž07-14-2023 12:35 PM

Technically it should work but I do not know why it is not working for me, am running multiple labs these days and getting stuck actually, I've tried to change the routers even, removed the command of identity in Keyring even removed custom IKE v2 PROPOSAL and POLICY still the same, I am making some mistake but unable to identify as it should work as per the configurations

0 Helpful

MHM Cisco World
VIP
VIP
In response to JunaidM

ā€Ž07-14-2023 12:59 PM

Did you no shut xconnect interface?

0 Helpful

JunaidM
Level 1
Level 1

ā€Ž07-14-2023 02:16 PM - edited ā€Ž07-14-2023 02:26 PM

Yeah actually I made the lab 4 different times and what I found now is that I believe L2 packet xconnect are not passing when from PC1 I am pinging to another side PC2 so packets from PC1 to 1st hop Router1 is not reaching when I tun wireshark I can see ARP breadcast but nothing else.

Further I have observed that am using IOS Image (c7200-advipservicesk9-mz.152-4.S5.image) is not working with xconnect but when I changed that Image to another IOS (c7200-adventerprisek9-mz.152-4.M7.image) it worked and traffic via L2TP passed even xconnect was showing UP in 1st .S7 IOS. 

I am not able to test full configuration as the 2nd router .M7 is working fine with xconnect but seems not supporting IKEv2. I will test the configurations in the EVE Platform, am not reachable to that but I will test it again.

Can you please tell me which IOS you are using?

MHM Cisco World
VIP
VIP
In response to JunaidM

ā€Ž07-14-2023 02:23 PM

Sure I will send you excat name.

But this second time you face issue with 7200 I think this image is not stable.

Do you have vmware with gns3?

0 Helpful

JunaidM
Level 1
Level 1
In response to MHM Cisco World

ā€Ž07-14-2023 02:28 PM

I actually do not have access at the moment to that machine I will get it as soon as I could to get it out with the EVE currently am using MACBOOK some restrictions of VMWARE unsupported.
Will surely test this out and will share the status.

0 Helpful

MHM Cisco World
VIP
VIP
In response to JunaidM

ā€Ž07-17-2023 02:42 AM

IOU1#show run
IOU1#show running-config
Building configuration...

Current configuration : 2878 bytes
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IOU1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
!
ip tcp synwait-time 5
pseudowire-class mhm
encapsulation l2tpv3
ip local interface Tunnel0
!
!
!
crypto ikev2 proposal mhm
encryption des
integrity md5
group 5
!
crypto ikev2 policy mhm
proposal mhm
!
crypto ikev2 keyring mhm
peer IOU2
address 100.0.0.2
pre-shared-key local mhm
pre-shared-key remote mhm
!
!
!
crypto ikev2 profile mhm
match identity remote address 100.0.0.2 255.255.255.255
identity local address 100.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local mhm
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 100.0.0.2
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
crypto ipsec profile mhm
set transform-set mhm
!
crypto ipsec profile mhmikv2
set transform-set mhm
set ikev2-profile mhm
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 100.0.0.2
tunnel protection ipsec profile mhmikv2
!
interface Ethernet0/0
ip address 100.0.0.1 255.255.255.0
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Ethernet1/0
no ip address
shutdown
!
interface Ethernet1/1
no ip address
xconnect 5.0.0.2 10 encapsulation l2tpv3 pw-class mhm
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
!
end

IOU1#

IOU2#show run
IOU2#show running-config
Building configuration...

Current configuration : 2878 bytes
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IOU2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
!
!
!
!
!


!
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
!
!
!
redundancy
!
!
ip tcp synwait-time 5
pseudowire-class mhm
encapsulation l2tpv3
ip local interface Tunnel0
!
!
!
crypto ikev2 proposal mhm
encryption des
integrity md5
group 5
!
crypto ikev2 policy mhm
proposal mhm
!
crypto ikev2 keyring mhm
peer IOU1
address 100.0.0.1
pre-shared-key local mhm
pre-shared-key remote mhm
!
!
!
crypto ikev2 profile mhm
match identity remote address 100.0.0.1 255.255.255.255
identity local address 100.0.0.2
authentication remote pre-share
authentication local pre-share
keyring local mhm
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key mhm address 100.0.0.1
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
!
crypto ipsec profile mhm
set transform-set mhm
!
crypto ipsec profile mhmikv2
set transform-set mhm
set ikev2-profile mhm
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 100.0.0.1
tunnel protection ipsec profile mhmikv2
!
interface Ethernet0/0
ip address 100.0.0.2 255.255.255.0
!
interface Ethernet0/1
no ip address
shutdown
!
interface Ethernet0/2
no ip address
shutdown
!
interface Ethernet0/3
no ip address
shutdown
!
interface Ethernet1/0
no ip address
shutdown
!
interface Ethernet1/1
no ip address
xconnect 5.0.0.1 10 encapsulation l2tpv3 pw-class mhm
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial3/3
no ip address
shutdown
serial restart-delay 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
transport input none
!
!
end

IOU2#

Screenshot (957).png

zedlouder99
Level 1
Level 1

ā€Ž07-17-2023 04:11 AM - edited ā€Ž07-18-2023 02:43 AM

IPsec with IKEv2 and L2TP xconnect is a secure VPN configuration that combines multiple protocols to establish encrypted and authenticated connections between endpoints. IPsec ensures data confidentiality, integrity, and authentication, protecting information from unauthorized access and tampering. IKEv2 handles the key management, facilitating the secure exchange of encryption keys between the devices involved in the VPN tunnel. L2TP xconnect, on the other hand, provides a tunneling mechanism for encapsulating the IPsec-secured packets within L2TP frames, allowing the secure data transmission over the Internet or untrusted networks. This comprehensive setup is commonly used in remote access scenarios or site-to-site connectivity, offering a robust and reliable solution for establishing secure communication channels between networks or devices.....

0 Helpful
Customers Also Viewed These Support Documents