Cisco Cisco IOS Software Release 12.2(27)SBC
L2TP Security
l2tp security crypto-profile
9
l2tp security crypto-profile
To configure IP Security (IPSec) protection of Layer 2 Tunnel Protocol (L2TP) sessions associated with
a virtual private dialup network (VPDN) group, use the l2tp security crypto-profile command in VPDN
group or VPDN template configuration mode. To disable IPSec protection for a VPDN group, use the
no form of this command.
a virtual private dialup network (VPDN) group, use the l2tp security crypto-profile command in VPDN
group or VPDN template configuration mode. To disable IPSec protection for a VPDN group, use the
no form of this command.
l2tp security crypto-profile profile-name [keep-sa]
no l2tp security crypto-profile
Syntax Description
Command Default
IPSec security is disabled.
IKE phase 1 SAs are destroyed on tunnel teardown.
IKE phase 1 SAs are destroyed on tunnel teardown.
Command Modes
VPDN group configuration
VPDN template configuration
VPDN template configuration
Command History
Usage Guidelines
Enabling this command for a VPDN group ensures that no L2TP packets will be processed unless they
have IPSec protection.
have IPSec protection.
A crypto profile must be configured using the crypto map (global IPSec) command before it can be
associated with a VPDN group using the l2tp security crypto-profile command. The profile-name
argument must match the name of a profile configured using the crypto map command.
associated with a VPDN group using the l2tp security crypto-profile command. The profile-name
argument must match the name of a profile configured using the crypto map command.
The keep-sa keyword can be used to prevent the destruction of IKE phase 1 SAs when the L2TP tunnel
between the network access server (NAS) and tunnel server is considered permanent, and the IP
addresses of the peer devices rarely change. This option is not useful with short-lived tunnels, such as
those generated by client-initiated L2TP tunneling.
between the network access server (NAS) and tunnel server is considered permanent, and the IP
addresses of the peer devices rarely change. This option is not useful with short-lived tunnels, such as
those generated by client-initiated L2TP tunneling.
profile-name
The name of the crypto profile to be used for IPSec protection of tunneled
PPP sessions.
PPP sessions.
keep-sa
(Optional) Controls the destruction of IPSec security associations (SAs)
upon tunnel teardown. By default, any IPSec phase 2 SAs and Internet Key
Exchange (IKE) phase 1 SAs are destroyed when the L2TP tunnel is torn
down. Issuing the keep-sa keyword prevents the destruction of IKE phase 1
SAs.
upon tunnel teardown. By default, any IPSec phase 2 SAs and Internet Key
Exchange (IKE) phase 1 SAs are destroyed when the L2TP tunnel is torn
down. Issuing the keep-sa keyword prevents the destruction of IKE phase 1
SAs.
Release
Modification
12.2(4)T
This command was introduced.
12.2(11)T
This command was implemented on the Cisco 1760, Cisco AS5300,
Cisco AS5400, and Cisco AS5800 platforms.
Cisco AS5400, and Cisco AS5800 platforms.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.