Cisco L2TPv3 with no IPSEC data encryption
Posted: Wed Sep 06, 2017 6:01 am
Hi there,
We have our own LTE based Test Lab network with private IP addressing and routing. We are trying to setup a Cisco IR809 LTE modem to do L2TPv3 tunneling to a Linux Based SoftEther VPN server.
The idea here is to extend the layer 2 Ethernet Network from the LAN side across to LTE/IP underlay to the IR809 GE0 port, where Ethernet devices are connected. We have been able to set this up using the following the guide and every works as expected:
https://www.softether.org/4-docs/2-howt ... uter_Setup
However, we want to try and do this without encryption being mandatory for the L2TPv3 user plane data. As I understand the control signalling must be encrypted. The reason for this is that we are using SoftEther VPN to bridge Ethernet based networks together over LTE/IP, and these networks are also private/secure. So we don't actually require encryption.
I have tried the configuration below, but continually get the following error on the SoftEther VPN server. Hoping that someone might be able to tell us a workaround, such as changing the source code for example.
-----------------------------
(192.168.34.200:4500 -> 192.168.20.120:4500): This IKE SA is established between the server and the client.
(192.168.34.200:4500 -> 192.168.20.120:4500): There are no acceptable transform proposals from the client for establishing an IPsec SA.
-----------------------------
pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface Cellular0
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC esp-ae s 256 esp-sha-hmac
mode transport
crypto ipsec transform-set nullset esp-null esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 192.168.20.120
set transform-set nullset
match address IPSEC_MATCH_RULE
!
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no cdp enable
xconnect 192.168.20.120 1 encapsulation l2tpv3 pw-class L2TPv3
bridge-group 1
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer watch-group 1
dialer-group 1
crypto map MAP
!
ip route 0.0.0.0 0.0.0.0 Cellular0
------------------------------------
Thanks,
Ben
We have our own LTE based Test Lab network with private IP addressing and routing. We are trying to setup a Cisco IR809 LTE modem to do L2TPv3 tunneling to a Linux Based SoftEther VPN server.
The idea here is to extend the layer 2 Ethernet Network from the LAN side across to LTE/IP underlay to the IR809 GE0 port, where Ethernet devices are connected. We have been able to set this up using the following the guide and every works as expected:
https://www.softether.org/4-docs/2-howt ... uter_Setup
However, we want to try and do this without encryption being mandatory for the L2TPv3 user plane data. As I understand the control signalling must be encrypted. The reason for this is that we are using SoftEther VPN to bridge Ethernet based networks together over LTE/IP, and these networks are also private/secure. So we don't actually require encryption.
I have tried the configuration below, but continually get the following error on the SoftEther VPN server. Hoping that someone might be able to tell us a workaround, such as changing the source code for example.
-----------------------------
(192.168.34.200:4500 -> 192.168.20.120:4500): This IKE SA is established between the server and the client.
(192.168.34.200:4500 -> 192.168.20.120:4500): There are no acceptable transform proposals from the client for establishing an IPsec SA.
-----------------------------
pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface Cellular0
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC esp-ae s 256 esp-sha-hmac
mode transport
crypto ipsec transform-set nullset esp-null esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 192.168.20.120
set transform-set nullset
match address IPSEC_MATCH_RULE
!
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no cdp enable
xconnect 192.168.20.120 1 encapsulation l2tpv3 pw-class L2TPv3
bridge-group 1
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer watch-group 1
dialer-group 1
crypto map MAP
!
ip route 0.0.0.0 0.0.0.0 Cellular0
------------------------------------
Thanks,
Ben