Solved: Layer 2 VPN Tunnel between two IR829 via Cellular.

DSN4Life · ‎08-04-2022

Hi everyone,

How are you? I was wondering if it is possible to build a Layer2 Tunnel between IR829-1 and IR829-2 using Cellular. And if it is, would anyone be able to assist me in doing so?

Thank you very much

ammahend · ‎08-04-2022

I haven't tested this on industrial router but, considering the topology below, you can try this config. its very basic, just replace WAN IP with you cellular public IPs

On R1

int tun 1

ip add 172.16.1.1 255.255.255.0

tunnel source 1.1.1.1

tunnel destination 2.2.2.2 <in your case it would be your cellular GW IP>

!

crypto ikev2 keyring MYKEY

peer R2

address 2.2.2.2

pre-shared-key cisco <you should choose a better password>

!

crytpo ikev2 profile MYVPN

authenticaion local pre-sharekey

authenticaion remote pre-sharekey

keyring local MYKEY

match identity remote address 2.2.2.2 255.255.255.255

!

int tun 1

tunnel mode ipsec ipv4

tunnel protection profile MYVPN

!

pseudo-class MYCLASS

encapsulation l2tpv3

ip local int tun 1

!

int g0/0

xconnect 172.16.1.2 1000 encapsulation l2tpv3 paseudo-class MYCLASS

!

Repeate same on R2 with R1 addresses

to verify

show crytp session

show xconnect all

hope this helps

-hope this helps-

View solution in original post

MHM Cisco World · ‎08-04-2022

if the xconnect command appear under interface then it can config

ammahend · ‎08-04-2022

I haven't tested this on industrial router but, considering the topology below, you can try this config. its very basic, just replace WAN IP with you cellular public IPs

On R1

int tun 1

ip add 172.16.1.1 255.255.255.0

tunnel source 1.1.1.1

tunnel destination 2.2.2.2 <in your case it would be your cellular GW IP>

!

crypto ikev2 keyring MYKEY

peer R2

address 2.2.2.2

pre-shared-key cisco <you should choose a better password>

!

crytpo ikev2 profile MYVPN

authenticaion local pre-sharekey

authenticaion remote pre-sharekey

keyring local MYKEY

match identity remote address 2.2.2.2 255.255.255.255

!

int tun 1

tunnel mode ipsec ipv4

tunnel protection profile MYVPN

!

pseudo-class MYCLASS

encapsulation l2tpv3

ip local int tun 1

!

int g0/0

xconnect 172.16.1.2 1000 encapsulation l2tpv3 paseudo-class MYCLASS

!

Repeate same on R2 with R1 addresses

to verify

show crytp session

show xconnect all

hope this helps

-hope this helps-

MHM Cisco World · ‎08-04-2022

If routers support xconnect under gigaether then yes config you share is ok.

DSN4Life · ‎08-04-2022

Thanks for the config and topology @ammahend and the confirmation @MHM Cisco World . When I get to work today, I will try the said topology and will update you two.

DSN4Life · ‎08-08-2022

I managed to log in to both IR829 routers, and configured according to what you have suggested @ammahend, and yup, looks like the l2tp has been built. Thank you so much for that. Much appreciated your help and assistance.

According to your diagram, the 192.168.1.0/24 address connected to Gi0 in my IR829. I am assuming that G0/0 is configured as an access port of some sort, since it can pass one network. Is it possible to have more than one network to pass through that Layer 2 tunnel? That is, Gi0/0 has some sort of qinq functionality (I just checked Gi0, and it looks like it cannot do any layer2 commands like "switchport type trunk").

I saw "vlan-id dot1q 2000" and "vlan-range dot1q 2000 2001" etc. Are these commands ok to be used?

Thank you very much and I apologise for the bother as well

DSN4Life · ‎08-14-2022

Hello everyone, I tried to connect a trunk port to the WLAN-Gi0 port on both ends, and it looks like different vlan traffics are being propagated, even without configuring the vlan-id or vlan-range.

Once agian, thank you for the help and assistance @ammahend . Really appreciate it

ammahend · ‎08-14-2022

You are welcome

-hope this helps-