Cisco routers can extend Layer 2 networks securely over a FlexVPN IPSec VPN tunnel, which allows for physically separate devices to be on same local LAN/network. This post describes the configuration steps, in order to achieve connectivity between the 2 PCs, extending the 10.10.1.0/24 network over an IPSec VPN.
This post does not cover the full configuration of FlexVPN SVTI, refer to the previous posts on configuring FlexVPN.
The figure below represents the topology used.
Configuration
Both routers are configured with a standard FlexVPN static VTI, the tunnel interfaces are borrowing an IP address from Loopback0.
- L2TPv3 uses the Tunnel interface and Tunnel IP address, so verify the VPN tunnel is UP and successful communication between the peer’s tunnel IP address before configuring L2TPv3.
R4 (LEFT) pseudowire-class L2TP encapsulation l2tpv3 ip local interface Tunnel1 ! interface Loopback0 description Tunnel Loopback ip address 172.21.1.4 255.255.255.255 ! interface Tunnel1 ip unnumbered Loopback0 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 2.2.2.1 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/1 no ip address xconnect 172.21.1.2 1000 encapsulation l2tpv3 pw-class L2TP
NOTE – xconnect IP address is the peer (R2 router) tunnel IP address.
R2 (RIGHT) pseudowire-class L2TP encapsulation l2tpv3 ip local interface Tunnel1 ! interface Loopback0 description Tunnel loopback ip address 172.21.1.2 255.255.255.255 ! interface Tunnel1 ip unnumbered Loopback0 tunnel source GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel destination 4.4.4.1 tunnel protection ipsec profile IPSEC-PROFILE ! interface GigabitEthernet0/1 no ip address xconnect 172.21.1.4 1000 encapsulation l2tpv3 pw-class L2TP
NOTE – xconnect IP address is the peer (R4 router) tunnel IP address.
Verification
Set IP addresses on the host computers, in this instance using VPC.
VPCS> ip 10.10.1.1 Checking for duplicate address... VPCS : 10.10.1.1 255.255.255.0 VPCS> ping 10.10.1.1 << ping yourself 10.10.1.1 icmp_seq=1 ttl=64 time=0.001 ms 10.10.1.1 icmp_seq=2 ttl=64 time=0.001 ms 10.10.1.1 icmp_seq=3 ttl=64 time=0.001 ms 10.10.1.1 icmp_seq=4 ttl=64 time=0.001 ms 10.10.1.1 icmp_seq=5 ttl=64 time=0.001 ms VPCS> ping 10.10.1.2 << ping the peer over the tunnel 84 bytes from 10.10.1.2 icmp_seq=1 ttl=64 time=3.963 ms 84 bytes from 10.10.1.2 icmp_seq=2 ttl=64 time=3.180 ms 84 bytes from 10.10.1.2 icmp_seq=3 ttl=64 time=2.918 ms 84 bytes from 10.10.1.2 icmp_seq=4 ttl=64 time=3.242 ms 84 bytes from 10.10.1.2 icmp_seq=5 ttl=64 time=3.687 ms
Ping from VPC7 (LEFT) to VPC8 (RIGHT) and take a packet capture on the remote side (VPC8) side, you will see the traffic.
Confirm traffic between the routers are encrypted (ISAKMP and ESP)
Confirm the IKEv2 SA have been established.
R4#show crypto ikev2 sa detail IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 1 4.4.4.1/500 2.2.2.1/500 none/none READY Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:21, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/1353 sec CE id: 1010, Session-id: 10 Status Description: Negotiation done Local spi: 97F30F605142CA44 Remote spi: 33470A9F4ECF9794 Local id: R4.domain.vpn Remote id: R2.domain.vpn Local req msg id: 135 Remote req msg id: 138 Local next msg id: 135 Remote next msg id: 138 Local req queued: 135 Remote req queued: 138 Local window: 5 Remote window: 5 DPD configured for 10 seconds, retry 2 Fragmentation not configured. Dynamic Route Update: disabled Extended Authentication not configured. NAT-T is not detected Cisco Trust Security SGT is disabled Initiator of SA : No Remote subnets: 172.21.1.2 255.255.255.255 IPv6 Crypto IKEv2 SA
Confirm basic connectivity between peer router tunnel IP addresses.
R4#show ip int br | i 172.21. Loopback0 172.21.1.4 YES manual up up Tunnel1 172.21.1.4 YES TFTP up up R4#ping 172.21.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.21.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms R4#
With a working VPN tunnel and connectivity between the peer routers on their loopback IP addresses, xconnect is able to establish connectivity. Use the command show xconnect all to confirm connectivity.
R4#show xconnect all Legend: XC ST=Xconnect State S1=Segment1 State S2=Segment2 State UP=Up DN=Down AD=Admin Down IA=Inactive SB=Standby HS=Hot Standby RV=Recovering NH=No Hardware XC ST Segment 1 S1 Segment 2 S2 ------+---------------------------------+--+---------------------------------+-- UP pri ac Gi0/1:3(Ethernet) UP l2tp 172.21.1.2:1000 UP R4#
The command show l2tun session alll provides more information on the L2 tunnel.
R2#show l2tun session all L2TP Session Information Total tunnels 1 sessions 1 Session id 3387697532 is up, logical session id 32839, tunnel id 3722024725 Remote session id is 3087429896, remote tunnel id 1191575910 Remotely initiated session Unique ID is 0 Session Layer 2 circuit, type is Ethernet, name is GigabitEthernet0/1 Session vcid is 1000 Circuit state is UP Local circuit state is UP Remote circuit state is UP Call serial number is 3449400001 Remote tunnel name is R4 Internet address is 172.21.1.4 Local tunnel name is R2 Internet address is 172.21.1.2 IP protocol 115 Session is L2TP signaled Session state is established, time since change 00:55:36 14 Packets sent, 14 received 1236 Bytes sent, 1236 received Last clearing of counters never Counters, ignoring last clear: 14 Packets sent, 14 received 1236 Bytes sent, 1236 received Receive packets dropped: out-of-order: 0 other: 0 total: 0 Send packets dropped: exceeded session MTU: 0 other: 0 total: 0 DF bit off, ToS reflect disabled, ToS value 0, TTL value 255 Sending UDP checksums are disabled Received UDP checksums are verified No session cookie information available FS cached header information: encap size = 24 bytes 45000014 00000000 ff736146 ac150102 ac150104 b8067108 Sequencing is off Conditional debugging is disabled SSM switch id is 4096, SSM segment id is 8266