Cisco Cisco Packet Data Gateway (PDG)
IPSec Network Applications
▀ Implementing IPSec for L2TP Applications
▄ IPSec Reference, StarOS Release 18
42
Step
Description
3
The system determines that the crypto map name supplied matches a configured crypto map.
4
From the crypto map, the system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be
used
used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
5
To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the ISAKMP secret specified by
the attribute with the specified peer LNS or security gateway.
the attribute with the specified peer LNS or security gateway.
6
The system and the LNS or security gateway negotiate an ISAKMP policy (IKE SA) to use to protect further
communications.
communications.
7
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the LNS or security gateway.
8
Once the IPSec SA has been negotiated, the system protects the L2TP encapsulated data according to the rules specified
in the transform set and sends it over the IPSec tunnel.
in the transform set and sends it over the IPSec tunnel.
Configuring Support for L2TP PDSN Compulsory Tunneling with IPSec
This section provides a list of the steps required to configure IPSec functionality on the system in support of PDSN
compulsory L2TP tunneling. Each step listed refers to a different section containing the specific instructions for
completing the required procedure.
compulsory L2TP tunneling. Each step listed refers to a different section containing the specific instructions for
completing the required procedure.
Important:
These instructions assume that the system was previously configured to support PDSN compulsory
tunneling subscriber data sessions. In addition, all parameters configured using this procedure must be configured in the
same destination context on the system as the LAC service.
same destination context on the system as the LAC service.
Step 1
Configure one or more transform sets according to the instructions located in the Transform Set Configuration chapter
of this guide.
of this guide.
Step 2
Configure one or more ISAKMP policies according to the instructions located in the ISAKMP Policy Configuration
chapter of this guide.
chapter of this guide.
Step 3
Configure an ipsec-isakmp crypto map according to the instructions located in the Dynamic Crypto Map Configuration
section of the Crypto Maps chapter of this guide.
section of the Crypto Maps chapter of this guide.
Step 4
Configure the subscriber profile attributes according to the instructions located in the Subscriber Attributes for L2TP
Application IPSec Support section of the RADIUS Attributes for IPSec-Based Mobile IP chapter of this guide.
Application IPSec Support section of the RADIUS Attributes for IPSec-Based Mobile IP chapter of this guide.
Step 5
Save your configuration to flash memory, an external memory device, and/or a network location using the Exec mode
command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command Line Interface Reference.
command save configuration. For additional information on how to verify and save configuration files, refer to the
System Administration Guide and the Command Line Interface Reference.