Cisco Cisco Packet Data Gateway (PDG) Guida Alla Risoluzione Dei Problemi
IP Security
▀ Implementing IPSec for L2TP Applications
▄ Cisco ASR 5000 Series Enhanced Feature Configuration Guide
OL-22982-01
Step
Description
5.
From the crypto map, the system determines the following:
The map type, in this case dynamic
Whether perfect forward secrecy (PFS) should be enabled for the IPSec SA and if so, what group should be used
IPSec SA lifetime parameters
The name of one or more configured transform set defining the IPSec SA
6.
To initiate the IKE SA negotiation, the system performs a Diffie-Hellman exchange of the ISAKMP secret specified in the
profile attribute with the specified peer LNS/security gateway.
profile attribute with the specified peer LNS/security gateway.
7.
The system and the LNS/security gateway negotiate an ISAKMP (IKE) policy to use to protect further communications.
8.
Once the IKE SA has been negotiated, the system negotiates an IPSec SA with the LNS/security gateway using the
transform method specified in the transform sets.
transform method specified in the transform sets.
9.
Once the IPSec SA has been negotiated, the system protects the L2TP encapsulated data according to the IPSec SAs
established during step 9 and sends it over the IPSec tunnel.
established during step 9 and sends it over the IPSec tunnel.
Configuring Support for L2TP Attribute-based Tunneling with IPSec
This section provides a list of the steps required to configure IPSec functionality on the system in support of attribute-
based L2TP tunneling. Each step listed refers to a different section containing the specific instructions for completing
the required procedure.
based L2TP tunneling. Each step listed refers to a different section containing the specific instructions for completing
the required procedure.
Important:
These instructions assume that the system was previously configured to support subscriber data
sessions and L2TP tunneling either as a PDSN or an HA. In addition, with the exception of subscriber attributes, all
other parameters configured using this procedure must be configured in the same destination context on the system as
the LAC service.
other parameters configured using this procedure must be configured in the same destination context on the system as
the LAC service.
Step 1
Configure one or more transform sets according to the instructions located in the
of this chapter.
Step 2
section of this chapter.
Step 3
Configure an ipsec-isakmp crypto map according to the instructions located in the
section of this chapter.
Step 4
Configure the subscriber profile attributes according to the instructions located in the
Step 5
Save your configuration as described in Verifying and Saving Your Configuration.