Scenario: Protecting an L2TP voluntary tunnel with IPSec
In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec.
The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address.
Situation
Suppose your company has a small branch office in another state. Throughout any given workday the branch office may require access to confidential information about an System i™ model within your corporate intranet. Your company currently uses an expensive leased line to provide the branch office access to the corporate network. Although your company wants to continue providing secure access to your intranet, you ultimately want to reduce the expense associated with the leased line. This can be done by creating a Layer 2 Tunnel Protocol (L2TP) voluntary tunnel that extends your corporate network, such that the branch office appears to be part of your corporate subnet. VPN protects the data traffic over the L2TP tunnel.
With an L2TP voluntary tunnel, the remote branch office establishes a tunnel directly to the L2TP network server (LNS) of the corporate network. The functionality of the L2TP access concentrator (LAC) resides at the client. The tunnel is transparent to the remote client's Internet Service Provider (ISP), so the ISP is not required to support L2TP. If you want to read more about L2TP concepts,
see Layer 2 Tunnel Protocol (L2TP).
This scenario shows the security gateways attached directly to the Internet. The absence of a firewall is intended to simplify the scenario. It does not imply that the use of a firewall is not necessary. Consider the security risks involved any time you connect to the Internet.
Objectives
In this scenario, a branch office system connects to its corporate network through a gateway system with an L2TP tunnel protected by VPN.
The main objectives of this scenario are:
- The branch office system always initiates the connection to the corporate office.
- The branch office system is the only system at the branch office network that needs access to the corporate network. In other words, its role is that of a host, not a gateway, in the branch office network.
- The corporate system a host computer in the corporate office network.
Details
The following figure illustrates the network characteristics for this scenario:
System-A
- Must have access to TCP/IP applications on all systems in the corporate network.
- Receives dynamically assigned IP addresses from its ISP.
- Must be configured to provide L2TP support.
System-B
- Must have access to TCP/IP applications on System-A.
- Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data endpoint of the VPN tunnel at the corporate site.
- Connects to the Internet with IP address 205.13.237.6. This is the connection endpoint. That is, System-B performs key management and applies IPSec to incoming and outgoing IP datagrams. System-B connects to its subnet with IP address 10.6.11.1.
In L2TP terms, System-A acts as the L2TP initiator,
while System-B acts as the L2TP terminator.
Configuration tasks
Assuming that TCP/IP configuration already exists and works,
complete the following tasks:
- Configuring VPN on System-A
Complete the following steps to configure a VPN connection on System-A. - Configuring a PPP connection profile and virtual line on System-A
Now that a VPN connection is configured on System-A you need to create the PPP profile for System-A. The PPP profile has no physical line associated with it; instead, it uses a virtual line. This is because the PPP traffic tunnels through the L2TP tunnel, while VPN protects the L2TP tunnel. - Applying the l2tptocorp dynamic-key group to the toCorp PPP profile
After you have your PPP connection profile configured, you need to go back to the dynamic-key group, l2tptocorp, you created and associate it with the PPP profile. - Configuring VPN on System-B
To configure a VPN connection on System-B follow the same steps you used to configure a VPN connection on System-A, and change IP addresses and identifiers as necessary. - Configuring a PPP connection profile and virtual line on System-B
Now that a VPN connection is configured on System-B you need to create the PPP profile for System-B. The PPP profile has no physical line associated with it; instead, it uses a virtual line. This is because the PPP traffic tunnels through the L2TP tunnel, while VPN protects the L2TP tunnel. - Activating packet rules
The VPN wizard automatically creates the packet rules that this connection requires to work properly. However, activate them on both systems before you can start the VPN connection.
Parent topic:
VPN scenarios
Related concepts
Layer 2 Tunnel Protocol (L2TP)