例えばインターネット上で、L2TPv3 を使用したい場合、対向がダイナミックなアドレス(以下、不定アドレス)を使用している可能性があります。Cisco の L2TPv3 では、Peer のアドレスに固定アドレスを要求するため、通常の設定では対応できません。ですが、不定アドレスを解決可能な DMVPN 等を併用する事で、これに対応した L2TPv3 を構成する事が可能です。
検証環境
設定例
L2TPv3 の Peer を WAN アドレスではなく、専用の Loopback インターフェースを用いて構築する点がポイントになります。WAN アドレスは、NHRP で解決し、Loopback のネットワークを DMVPN 経由のダイナミックルーティング(本例では EIGRP)で通知します。
R1(WAN 側固定アドレス)
hostname R1 ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! pseudowire-class l2tpv3 encapsulation l2tpv3 ip local interface Loopback1 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 0.0.0.0 ! crypto ipsec transform-set tfset esp-aes esp-sha-hmac mode transport ! crypto ipsec profile profile set transform-set tfset ! interface Loopback1 ip address 1.1.1.1 255.255.255.0 ! interface Tunnel1 ip address 10.0.0.1 255.255.255.252 no ip redirects ip mtu 1436 no ip split-horizon eigrp 1 ip nhrp authentication poc ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 10 tunnel source GigabitEthernet1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile profile ! interface GigabitEthernet1 ip address 10.1.1.1 255.255.255.0 negotiation auto ! interface GigabitEthernet2 no ip address negotiation auto no keepalive xconnect 2.2.2.2 1 encapsulation l2tpv3 pw-class l2tpv3 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 192.168.1.61 255.255.255.0 negotiation auto ! router eigrp 1 network 1.1.1.0 0.0.0.255 network 10.0.0.0 0.0.0.255 ! ip route 0.0.0.0 0.0.0.0 10.1.1.254 ! end
R2(WAN 側不定アドレス)
hostname R2 ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! pseudowire-class l2tpv3 encapsulation l2tpv3 ip local interface Loopback1 ! crypto isakmp policy 1 authentication pre-share crypto isakmp key cisco address 0.0.0.0 ! crypto ipsec transform-set tfset esp-aes esp-sha-hmac mode transport ! crypto map dmvpn local-address GigabitEthernet1 crypto map dmvpn 1 ipsec-isakmp set peer 10.1.1.1 set security-association level per-host set transform-set tfset match address 101 ! interface Loopback1 ip address 2.2.2.2 255.255.255.0 ! interface Tunnel1 ip address 10.0.0.2 255.255.255.252 ip mtu 1436 ip nhrp authentication poc ip nhrp map 10.0.0.1 10.1.1.1 ip nhrp network-id 100000 ip nhrp holdtime 10 ip nhrp nhs 10.0.0.1 tunnel source GigabitEthernet1 tunnel destination 10.1.1.1 tunnel key 100000 crypto map dmvpn ! interface GigabitEthernet1 ip address dhcp hostname R2 negotiation auto crypto map dmvpn ! interface GigabitEthernet2 no ip address negotiation auto no keepalive xconnect 1.1.1.1 1 encapsulation l2tpv3 pw-class l2tpv3 ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 192.168.1.62 255.255.255.0 negotiation auto ! router eigrp 1 network 2.2.2.0 0.0.0.255 network 10.0.0.0 0.0.0.255 ! ip route 0.0.0.0 0.0.0.0 10.1.2.254 ! access-list 101 permit gre any host 10.1.1.1 ! end
R3(網内ルータ想定)
hostname R3 ! vrf definition Mgmt-intf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ip dhcp excluded-address 10.1.2.254 ! ip dhcp pool R2 network 10.1.2.0 255.255.255.0 ! interface GigabitEthernet1 ip address 10.1.1.254 255.255.255.0 negotiation auto ! interface GigabitEthernet2 ip address 10.1.2.254 255.255.255.0 negotiation auto ! interface GigabitEthernet0 vrf forwarding Mgmt-intf ip address 192.168.1.63 255.255.255.0 negotiation auto ! end
確認例
R1 が NHRP により、R2 の WAN 側アドレスをダイナミックに解決しています。
R1#show ip nhrp 10.0.0.2/32 via 10.0.0.2 Tunnel1 created 00:22:10, expire 00:00:07 Type: dynamic, Flags: unique registered used NBMA address: 10.1.2.1
ISAKMP SA を NHRP で解決したアドレスで確立しています。
R1#show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status 10.1.1.1 10.1.2.1 QM_IDLE 1001 ACTIVE IPv6 Crypto ISAKMP SA
対向の Loopback ネットワーク[2.2.2.2]を Tunnel 経由の EIGRP で学習しています。
R1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.1.1.254 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.1.1.254
1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 1.1.1.0/24 is directly connected, Loopback1
L 1.1.1.1/32 is directly connected, Loopback1
2.0.0.0/24 is subnetted, 1 subnets
D 2.2.2.0 [90/27008000] via 10.0.0.2, 00:30:12, Tunnel1
10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks
C 10.0.0.0/30 is directly connected, Tunnel1
L 10.0.0.1/32 is directly connected, Tunnel1
C 10.1.1.0/24 is directly connected, GigabitEthernet1
L 10.1.1.1/32 is directly connected, GigabitEthernet1Loopback インターフェースを使用して、L2TPv3 が確立されます。
R1#show l2tp session
L2TP Session Information Total tunnels 1 sessions 1
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
3381341951 1248987571 4250176163 1, Gi2 est 00:23:48 0