Cisco ASR 1004 L2TPv3 Pseudowire IPSec Encryption

Here I’m going to show a basic configuration on how to Encrypt a 10G link that has a stretched subnet. The reason for this could be for PCI or HIPAA compliance. You need to make sure that the devices are FIPS 140-2 compliant. See the link below for all the Cisco devices that are compliant.

http://www.cisco.com/web/strategy/government/security_certification/net_business_benefit_seccert_fips140.html

Since there’s a 10G link I am using Cisco ASR 1004’s with 40-Gbps ESP modules on both ends. The 40-Gbps ESP module is the only one that supports a FULL 10G (http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-450070.html).

The subnet that’s being stretched is 10.1.2.0/24.

DC A:

l2tp-class CORDERO-L2TPV3-CLASS
 retransmit retries 30
 cookie size 8

pseudowire-class CORDERO-L2TPV3
 encapsulation l2tpv3
 protocol l2tpv3 CORDERO-L2TPV3-CLASS
 ip local interface TenGigabitEthernet0/1/0
 ip pmtu

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.1.2.1      no-xauth

crypto ipsec transform-set CORDERO-TS esp-aes 256 esp-sha-hmac 
 mode tunnel

crypto map CORDERO-VPN 10 ipsec-isakmp 
 set peer 10.1.2.1
 set transform-set CORDERO-TS 
 match address VPN

interface TenGigabitEthernet0/0/0
 description LAN SIDE
 mtu 9216
 no ip address
 xconnect 10.1.2.1 1 encapsulation l2tpv3 pw-class CORDERO-L2TPV3

interface TenGigabitEthernet0/1/0
 description WAN SIDE
 mtu 9216
 ip address 10.1.2.2 255.255.255.0
 crypto map CORDERO-VPN

ip access-list extended VPN
 permit 115 any any

DC B:

l2tp-class CORDERO-L2TPV3-CLASS
 retransmit retries 30
 cookie size 8

pseudowire-class CORDERO-L2TPV3
 encapsulation l2tpv3
 protocol l2tpv3 CORDERO-L2TPV3-CLASS
 ip local interface TenGigabitEthernet0/1/0
 ip pmtu

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key cisco address 10.1.2.2      no-xauth

crypto ipsec transform-set CORDERO-TS esp-aes 256 esp-sha-hmac 
 mode tunnel

crypto map CORDERO-VPN 10 ipsec-isakmp 
 set peer 10.1.2.2
 set transform-set CORDERO-TS 
 match address VPN

interface TenGigabitEthernet0/0/0
 description LAN SIDE
 mtu 9216
 no ip address
 xconnect 10.1.2.2 1 encapsulation l2tpv3 pw-class CORDERO-L2TPV3

interface TenGigabitEthernet0/1/0
 description WAN SIDE
 mtu 9216 
 ip address 10.1.2.1 255.255.255.0
 crypto map CORDERO-VPN

ip access-list extended VPN
 permit 115 any any
More Stories
Cisco QOS Basics