Cisco Cisco IOS Software Release 12.2(27)SBC

To configure IP Security (IPSec) protection of Layer 2 Tunnel Protocol (L2TP) sessions associated with 
a virtual private dialup network (VPDN) group, use the l2tp security crypto-profile command in VPDN 
group or VPDN template configuration mode. To disable IPSec protection for a VPDN group, use the 
no form of this command.

l2tp security crypto-profile profile-name [keep-sa]

IPSec security is disabled.
IKE phase 1 SAs are destroyed on tunnel teardown.

VPDN group configuration
VPDN template configuration

Enabling this command for a VPDN group ensures that no L2TP packets will be processed unless they 
have IPSec protection.

A crypto profile must be configured using the crypto map (global IPSec) command before it can be 
associated with a VPDN group using the l2tp security crypto-profile command. The profile-name 
argument must match the name of a profile configured using the crypto map command.

The keep-sa keyword can be used to prevent the destruction of IKE phase 1 SAs when the L2TP tunnel 
between the network access server (NAS) and tunnel server is considered permanent, and the IP 
addresses of the peer devices rarely change. This option is not useful with short-lived tunnels, such as 
those generated by client-initiated L2TP tunneling.

The name of the crypto profile to be used for IPSec protection of tunneled 
PPP sessions.

(Optional) Controls the destruction of IPSec security associations (SAs) 
upon tunnel teardown. By default, any IPSec phase 2 SAs and Internet Key 
Exchange (IKE) phase 1 SAs are destroyed when the L2TP tunnel is torn 
down. Issuing the keep-sa keyword prevents the destruction of IKE phase 1 
SAs.

12.2(4)T

This command was introduced.

12.2(11)T

This command was implemented on the Cisco 1760, Cisco AS5300, 
Cisco AS5400, and Cisco AS5800 platforms.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.