Cisco Cisco Packet Data Interworking Function (PDIF)
IPSec Network Applications
▀ Implementing IPSec for L2TP Applications
▄ IPSec Reference, StarOS Release 18
40
Table 5. Attribute-based L2TP, IPSec-Encrypted Session Processing
Step
1
A subscriber session arrives at the system.
2
The system attempts to authenticate the subscriber with the AAA server.
3
The profile attributes returned upon successful authentication by the AAA server indicate that session data is to be
tunneled using L2TP. In addition, attributes specifying a crypto map name and ISAKMP secret are also supplied
indicating that IP security is also required.
tunneled using L2TP. In addition, attributes specifying a crypto map name and ISAKMP secret are also supplied
indicating that IP security is also required.
4
The system determines that the crypto map name supplied matches a configured crypto map.
5
From the crypto map, the system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be
used
used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
6
To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the ISAKMP secret specified in
the profile attribute with the specified peer LNS (L2TP Network Server) or security gateway.
the profile attribute with the specified peer LNS (L2TP Network Server) or security gateway.
7
The system and the LNS or security gateway negotiate an ISAKMP (IKE) policy to use to protect further
communications.
communications.
8
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the LNS or security gateway using the
transform method specified in the transform sets.
transform method specified in the transform sets.
9
Once the IPSec SA has been negotiated, the system protects the L2TP encapsulated data according to the IPSec SAs
established during step 9 and sends it over the IPSec tunnel.
established during step 9 and sends it over the IPSec tunnel.
Configuring Support for L2TP Attribute-based Tunneling with IPSec
This section provides a list of the steps required to configure IPSec functionality on the system in support of
attributebasedL2TP tunneling. Each step listed refers to a different section containing the specific instructions for
completing the required procedure.
attributebasedL2TP tunneling. Each step listed refers to a different section containing the specific instructions for
completing the required procedure.
Important:
These instructions assume that the system was previously configured to support subscriber data
sessions and L2TP tunneling either as a PDSN or an HA. In addition, with the exception of subscriber attributes, all
other parameters configured using this procedure must be configured in the same destination context on the system as
the LAC service.
other parameters configured using this procedure must be configured in the same destination context on the system as
the LAC service.
Step 1
Configure one or more transform sets according to the instructions located in the Transform Set Configuration chapter
of this guide.
of this guide.
Step 2
Configure one or more ISAKMP policies according to the instructions located in the ISAKMP Policy Configuration
chapter of this guide.
chapter of this guide.