Cisco L2TPv3/IPsec Edge-VPN Router Setup

    Version as of 04:20, 21 May 2024

    to this version.

    Return to Version archive.

    View current version

    Most of Cisco's routers which are released on or after 2005 has L2TPv3 over IPsec protocol function. (If not, you might be able to upgrade the IOS version to support it.)

    If you use L2TPv3 over IPsec, you can establish an IPsec-encrypted tunnel between the remote site's Cisco Router and the central site's SoftEther VPN Server.
    This web page explains how to setup a Cisco 1812 or Cisco 892 router to connect the SoftEther VPN Server.
     
     
    ciscopic.png
    Cisco's Routers

    Preparation

    Before setup Cisco router you have to setup the SoftEther VPN Server settings.

    01.png

     

    On the above screen, check the "Enable EtherIP / L2TPv3 over IPsec Server Function" and click the "Detail Settings" button. The following screen will appear.

     

    02.png

    In this screen you have to define a mapping-table between L2TPv3 client (router)'s ISAKMP (IKE) Phase 1 ID, and the destination Virtual Hub's name, username and password.

    On the above example, VPN connection attempts from any L2TPv3 routers will be regarded to use the "l2tpv3" username to connect the "DEFAULT" Virtual Hub. (The "l2tpv3" user must be registered on the Virtual Hub.)

    Essentially you should specify the Cisco's router's ISAKMP (IKE) Phase 1 ID on the ID field. However, you can specify "*" (wildcard) to match for any IDs. This is lack of security but this time is just a tutorial. So a wildcard is used. In the long-term running system you have to specify the Phase 1 ID exactly instead of a wildcard.

     

    Cisco Router's Configuration Sample #2 (Having a DHCP-Assigned Physical IP Address)

    Example Assumptions

    • Ethernet Ports
      FastEthernet 0: WAN Port (Automatic Lease IP Address from DHCP Server)
      FastEthernet 1: Bridge Port
       
    • Destination SoftEther VPN Server IP Address
      1.2.3.4
       
    • ISAKMP SA Encryption Settings
      AES-256 / SHA / DH Group 2 (1024 bit)
       
    • IPsec SA Encryption Settings
      AES-256 / SHA
       
    • IPsec Pre-Shard Key
      vpn

     

    Cisco Router's Configuration Sample #3 (PPPoE WAN Connection)

    Example Assumptions

    • Ethernet Ports
      FastEthernet 0: WAN Port (Automatic Obtain IP Address via PPPoE)
      FastEthernet 1: Bridge Port
       
    • Destination SoftEther VPN Server IP Address
      1.2.3.4
       
    • ISAKMP SA Encryption Settings
      AES-256 / SHA / DH Group 2 (1024 bit)
       
    • IPsec SA Encryption Settings
      AES-256 / SHA
       
    • IPsec Pre-Shard Key
      vpn

     

    Cisco Router's Configuration Sample #1 (Having a Fixed Physical IP Address)

    Example Assumptions

    • Ethernet Ports
      FastEthernet 0: WAN Port (IP Address: 2.3.4.5 / Subnet Mask: 255.255.255.0 / DefGW: 2.3.4.254)
      FastEthernet 1: Bridge Port
       
    • Destination SoftEther VPN Server IP Address
      1.2.3.4
       
    • ISAKMP SA Encryption Settings
      AES-256 / SHA / DH Group 2 (1024 bit)
       
    • IPsec SA Encryption Settings
      AES-256 / SHA
       
    • IPsec Pre-Shard Key
      vpn