Combining IPsec with L2TPv3 for Secure Pseudowire

As described in Chapter 18, "IEEE 802.1AE," IEEE 802.1AE protects all Layer 2 traffic with encryption and authentication. Not all existing switches support IEEE 802.1AE; therefore, in the short term, an alternative solution might be attractive. This solution relies on IPsec for the security features. Although IPsec is convenient and suitable to protect IP traffic, it sometimes requires you to also protect all Layer 2 communication between two sites, such as spanning a LAN over a confidential tunnel. IPsec alone cannot fulfill this requirement because it is only applicable to IP traffic.

This appendix describes how two Cisco IOS features (IPsec and Layer 2 Tunnel Protocol version 3 [L2TPv3] used in xconnect mode) can be combined to produce a simple and elegant solution.

NOTE This solution's security properties include confidentiality and integrity of all Layer 2 traffic transported over the public network and traffic isolation. (It is impossible to inject LAN traffic from the public network.) A denial of service (DoS) attack from the public network can still be launched, and this disrupts LAN traffic by causing packet drops; however, it won't propagate within the LAN network.


The architecture, as shown in Figure A-1, relies on L2TPv3, which includes the following:

• Encapsulation of any Ethernet frame in an IP packet (protocol 115)

• Control channel to negotiate all L2TPv3 parameters (might include passwords, cookies, and so on)

Figure A-1 Global Architecture for Combined L2TPv3 and IPsec

All frames are forwarded from LAN interface through the L2TPv3 tunnel.

IPsec protects all L2TPv3

All frames are forwarded from LAN interface through the L2TPv3 tunnel.

IPsec protects all L2TPv3

In Cisco IOS routers, L2TPv3 can be used in xconnect mode (cross connect) between one interface of the local router and another one on a remote router. All Layer 2 frames are simply forwarded from one local interface to the remote interface. This means that Cisco IOS never processes those Layer 2 frames: neither bridging nor routing. At the Internet Engineering Task Force (IETF), it is called a pseudowire.

NOTE Instead of using L2TPv3, other Layer 2 tunneling mechanisms can be used; for example, in the early 1990s, data-link switching (DLSw) mainly bridged IBM frames over an IP network. DLSw is not a mere transport of Layer 2 frames, but it is actually bridging in the sense of IEEE 802.1D. (For example, frames are transported only when the destination is unknown or multicast, or the destination is known to be on the other side of the tunnel.) Beside the actual DLSw configuration, the architecture is unchanged.

In transport mode, IPsec is used because the traffic to be protected (the L2TPv3 packets) is originated by the virtual private network (VPN) routers. This is also slightly better regarding the packet size.

Because IPsec is already used to add authentication, integrity, and confidentiality, no L2TPv3 security feature is used.

Comparison with IEEE 802.1AE

Several differences exist between this combination of L2TPv3 and IPsec and the IEEE 802.1AE:

• 802.1AE encrypts and decrypts hop by hop; L2TPv3 with IPsec encrypts end to end.

• 802.1AE allows for network services colocated on a switch, such as firewalls and intrusion detection systems (IDS), to work on decrypted packets, while IPsec completely prevents the use of firewall and IDS on the tunnel's path.

• 802.1AE needs to be deployed on all switches on the path; L2TPv3 with IPsec requires only L2TPv3 and IPsec on the two tunnel endpoints.

Aside from their differences, a user might find both solutions to be similar: Data within a Layer 2 domain is encrypted when traversing a nontrusted domain.

Was this article helpful?

+1 0

Post a comment