Hi there,
We have our own LTE based Test Lab network with private IP addressing and routing. We are trying to setup a Cisco IR809 LTE modem to do L2TPv3 tunneling to a Linux Based SoftEther VPN server.
The idea here is to extend the layer 2 Ethernet Network from the LAN side across to LTE/IP underlay to the IR809 GE0 port, where Ethernet devices are connected. We have been able to set this up using the following the guide and every works as expected:
https://www.softether.org/4-docs/2-howt ... uter_Setup
However, we want to try and do this without encryption being mandatory for the L2TPv3 user plane data. As I understand the control signalling must be encrypted. The reason for this is that we are using SoftEther VPN to bridge Ethernet based networks together over LTE/IP, and these networks are also private/secure. So we don't actually require encryption.
I have tried the configuration below, but continually get the following error on the SoftEther VPN server. Hoping that someone might be able to tell us a workaround, such as changing the source code for example.
-----------------------------
(192.168.34.200:4500 -> 192.168.20.120:4500): This IKE SA is established between the server and the client.
(192.168.34.200:4500 -> 192.168.20.120:4500): There are no acceptable transform proposals from the client for establishing an IPsec SA.
-----------------------------
pseudowire-class L2TPv3
encapsulation l2tpv3
ip local interface Cellular0
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key vpn address 0.0.0.0
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set IPSEC esp-ae s 256 esp-sha-hmac
mode transport
crypto ipsec transform-set nullset esp-null esp-sha-hmac
mode transport
crypto ipsec fragmentation after-encryption
!
!
!
crypto map MAP 1 ipsec-isakmp
set peer 192.168.20.120
set transform-set nullset
match address IPSEC_MATCH_RULE
!
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
no cdp enable
xconnect 192.168.20.120 1 encapsulation l2tpv3 pw-class L2TPv3
bridge-group 1
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer watch-group 1
dialer-group 1
crypto map MAP
!
ip route 0.0.0.0 0.0.0.0 Cellular0
------------------------------------
Thanks,
Ben
Cisco L2TPv3 with no IPSEC data encryption
-
- Site Admin
- Posts: 2197
- Joined: Sat Mar 09, 2013 5:37 am
Re: Cisco L2TPv3 with no IPSEC data encryption
The list of ciphers which is used in IPsec is hardcoded in the following file.
https://github.com/SoftEtherVPN/SoftEth ... et.c#L2557
https://github.com/SoftEtherVPN/SoftEth ... et.c#L2557
-
- Posts: 2
- Joined: Thu Apr 20, 2017 11:31 am
-
- Posts: 1
- Joined: Sun Apr 18, 2021 1:23 pm
Re: Cisco L2TPv3 with no IPSEC data encryption
Afternoon,
Saw this post I have been looking for something that will do a stretched vlan , but with security.
With the L2TPv3 to a cisco router I can see encryption/ipsec so that's fine; the server to server equivalent how do I impose encryption for the traffic to secure traffic over the internet for Layer 2 to too Layer 2 bridging?
Saw this post I have been looking for something that will do a stretched vlan , but with security.
With the L2TPv3 to a cisco router I can see encryption/ipsec so that's fine; the server to server equivalent how do I impose encryption for the traffic to secure traffic over the internet for Layer 2 to too Layer 2 bridging?