Cisco Cisco Tunnel Terminating Gateway (TTG)
IPSec Network Applications
▀ Implementing IPSec for L2TP Applications
▄ IPSec Reference, StarOS Release 17
42
Table 6. PDSN Compulsory L2TP, IPSec-Encrypted Session Processing
Step
Description
1
A subscriber session arrives at a PDSN service on the system that is configured to perform compulsory tunneling. The
system uses the LAC service specified in the PDSN service’s configuration.
system uses the LAC service specified in the PDSN service’s configuration.
2
The LAC service dictates the peer LNS (L2TP Network Server) to use and also specifies the following parameters
indicating that IP security is also required:
indicating that IP security is also required:
Crypto map name
ISAKMP secret
3
The system determines that the crypto map name supplied matches a configured crypto map.
4
From the crypto map, the system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be
used
used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
5
To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the ISAKMP secret specified by
the attribute with the specified peer LNS or security gateway.
the attribute with the specified peer LNS or security gateway.
6
The system and the LNS or security gateway negotiate an ISAKMP policy (IKE SA) to use to protect further
communications.
communications.
7
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the LNS or security gateway.
8
Once the IPSec SA has been negotiated, the system protects the L2TP encapsulated data according to the rules specified
in the transform set and sends it over the IPSec tunnel.
in the transform set and sends it over the IPSec tunnel.
Configuring Support for L2TP PDSN Compulsory Tunneling with IPSec
This section provides a list of the steps required to configure IPSec functionality on the system in support of PDSN
compulsory L2TP tunneling. Each step listed refers to a different section containing the specific instructions for
completing the required procedure.
compulsory L2TP tunneling. Each step listed refers to a different section containing the specific instructions for
completing the required procedure.
Important:
These instructions assume that the system was previously configured to support PDSN compulsory
tunneling subscriber data sessions. In addition, all parameters configured using this procedure must be configured in the
same destination context on the system as the LAC service.
same destination context on the system as the LAC service.
Step 1
Configure one or more transform sets according to the instructions located in the Transform Set Configuration chapter
of this guide.
of this guide.
Step 2
Configure one or more ISAKMP policies according to the instructions located in the ISAKMP Policy Configuration
chapter of this guide.
chapter of this guide.