Cisco L2TPv3 with no IPSEC data encryption

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
blarcombe
Posts: 2
Joined: Thu Apr 20, 2017 11:31 am

Cisco L2TPv3 with no IPSEC data encryption

Post by blarcombe » Wed Sep 06, 2017 6:01 am

Hi there,

We have our own LTE based Test Lab network with private IP addressing and routing. We are trying to setup a Cisco IR809 LTE modem to do L2TPv3 tunneling to a Linux Based SoftEther VPN server.

The idea here is to extend the layer 2 Ethernet Network from the LAN side across to LTE/IP underlay to the IR809 GE0 port, where Ethernet devices are connected. We have been able to set this up using the following the guide and every works as expected:
https://www.softether.org/4-docs/2-howt ... uter_Setup

However, we want to try and do this without encryption being mandatory for the L2TPv3 user plane data. As I understand the control signalling must be encrypted. The reason for this is that we are using SoftEther VPN to bridge Ethernet based networks together over LTE/IP, and these networks are also private/secure. So we don't actually require encryption.

I have tried the configuration below, but continually get the following error on the SoftEther VPN server. Hoping that someone might be able to tell us a workaround, such as changing the source code for example.

-----------------------------

(192.168.34.200:4500 -> 192.168.20.120:4500): This IKE SA is established between the server and the client.
(192.168.34.200:4500 -> 192.168.20.120:4500): There are no acceptable transform proposals from the client for establishing an IPsec SA.

-----------------------------

pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface Cellular0
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC esp-ae s 256 esp-sha-hmac
mode transport
crypto ipsec transform-set nullset esp-null esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 192.168.20.120
set transform-set nullset
match address IPSEC_MATCH_RULE
!
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no cdp enable
xconnect 192.168.20.120 1 encapsulation l2tpv3 pw-class L2TPv3
bridge-group 1
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer watch-group 1
dialer-group 1
crypto map MAP
!

ip route 0.0.0.0 0.0.0.0 Cellular0

------------------------------------

Thanks,
Ben

cedar
Site Admin
Posts: 2070
Joined: Sat Mar 09, 2013 5:37 am

Re: Cisco L2TPv3 with no IPSEC data encryption

Post by cedar » Thu Sep 14, 2017 9:05 am

The list of ciphers which is used in IPsec is hardcoded in the following file.
https://github.com/SoftEtherVPN/SoftEth ... et.c#L2557

blarcombe
Posts: 2
Joined: Thu Apr 20, 2017 11:31 am

Re: Cisco L2TPv3 with no IPSEC data encryption

Post by blarcombe » Mon Sep 18, 2017 1:35 am

Thanks.

cripps477
Posts: 1
Joined: Sun Apr 18, 2021 1:23 pm

Re: Cisco L2TPv3 with no IPSEC data encryption

Post by cripps477 » Sun Apr 18, 2021 1:38 pm

Afternoon,

Saw this post I have been looking for something that will do a stretched vlan , but with security.
With the L2TPv3 to a cisco router I can see encryption/ipsec so that's fine; the server to server equivalent how do I impose encryption for the traffic to secure traffic over the internet for Layer 2 to too Layer 2 bridging?

Post Reply