Page 1 of 1

Cisco L2TPv3 with no IPSEC data encryption

Posted: Wed Sep 06, 2017 6:01 am
by blarcombe
Hi there,

We have our own LTE based Test Lab network with private IP addressing and routing. We are trying to setup a Cisco IR809 LTE modem to do L2TPv3 tunneling to a Linux Based SoftEther VPN server.

The idea here is to extend the layer 2 Ethernet Network from the LAN side across to LTE/IP underlay to the IR809 GE0 port, where Ethernet devices are connected. We have been able to set this up using the following the guide and every works as expected: ... uter_Setup

However, we want to try and do this without encryption being mandatory for the L2TPv3 user plane data. As I understand the control signalling must be encrypted. The reason for this is that we are using SoftEther VPN to bridge Ethernet based networks together over LTE/IP, and these networks are also private/secure. So we don't actually require encryption.

I have tried the configuration below, but continually get the following error on the SoftEther VPN server. Hoping that someone might be able to tell us a workaround, such as changing the source code for example.


( -> This IKE SA is established between the server and the client.
( -> There are no acceptable transform proposals from the client for establishing an IPsec SA.


pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface Cellular0
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vpn address
crypto isakmp keepalive 10 periodic
crypto ipsec transform-set IPSEC esp-ae s 256 esp-sha-hmac
mode transport
crypto ipsec transform-set nullset esp-null esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
crypto map MAP 1 ipsec-isakmp
set peer
set transform-set nullset
match address IPSEC_MATCH_RULE
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no cdp enable
xconnect 1 encapsulation l2tpv3 pw-class L2TPv3
bridge-group 1
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer watch-group 1
dialer-group 1
crypto map MAP

ip route Cellular0



Re: Cisco L2TPv3 with no IPSEC data encryption

Posted: Thu Sep 14, 2017 9:05 am
by cedar
The list of ciphers which is used in IPsec is hardcoded in the following file. ... et.c#L2557

Re: Cisco L2TPv3 with no IPSEC data encryption

Posted: Mon Sep 18, 2017 1:35 am
by blarcombe

Re: Cisco L2TPv3 with no IPSEC data encryption

Posted: Sun Apr 18, 2021 1:38 pm
by cripps477

Saw this post I have been looking for something that will do a stretched vlan , but with security.
With the L2TPv3 to a cisco router I can see encryption/ipsec so that's fine; the server to server equivalent how do I impose encryption for the traffic to secure traffic over the internet for Layer 2 to too Layer 2 bridging?