Yes. You will need to use IPsec tunnel mode. Commonly seen configuration calls for a loopback interface to be the source of all the interesting traffic and the pseudowire-class would use the loopback interface as the source. The IPsec ACL will be source as loopback and destination as your LNS.
On Thu, Mar 22, 2012 at 1:43 PM, Lukasz <[email protected]> wrote: > Thanks Gaurav, > > that makes sens, but I guess in that situation at first the router on the > left should not be able to reach the L2tp server till it establish IPsec > connection to the firewall? If that is the case then I need Ipsec tunnel > mode? If I put transport mode I probably need some static route on the > router or routing protocol which would points out the L2TP server? > > > > Lukasz > > > On 2012-03-22 16:36, Gaurav Sabharwal wrote: >> >> Lukasz, >> >> Yes. You can have IPsec terminating on a firewall and L2TP terminating >> on a router. The major advantage that you would get is off loading the >> crypto to a dedicated firewall. Until and unless you use routers such >> as 7200 with VAM2+ type encryption engine, it might be best to off >> load the crypto to another device. Another reason for using a firewall >> to terminate IPsec would be the security that it provides (think >> IDS/IPS, etc.). >> >> Thanks, >> Gaurav >> >> On Thu, Mar 22, 2012 at 11:57 AM, Lukasz <[email protected]> wrote: >>> >>> Hi All, >>> >>> >>> I have feasibility question regarding l2tp and ipsec. I know you need to >>> run >>> l2tp over ipsec but...can you terminate the ipsec on the ipsec head end >>> and >>> l2tp on the other device? If this is possible what is the advantage of >>> that >>> scenario? I believe the IPsec needs to be in transport mode in order for >>> this to work. >>> >>> I only found information on cisco website about L2TPoverIPsec terminated >>> on >>> the same head end. >>> >>> >>> >>> scenario >>> >>> >>> |router| ------- |IPsec Head end| ----- |L2TP head end| >>> >>> -----ipsec------- >>> LAC -------------------- L2TP --------------LNS >>> >>> >>> >>> Thanks in advance >>> >>> Lukasz >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >>> http://onlinestudylist.com/mailman/listinfo/ccie_rs > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com http://onlinestudylist.com/mailman/listinfo/ccie_rs
