Scenario: Protect an L2TP voluntary tunnel with IPSec

In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec. The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address.

Situation

Suppose your company has a small branch office in another state. Throughout any given workday the branch office may require access to confidential information about an iSeries™ system within your corporate intranet. Your company currently uses an expensive leased line to provide the branch office access to the corporate network. Although your company wants to continue providing secure access to your intranet, you ultimately want to reduce the expense associated with the leased line. This can be done by creating a Layer 2 Tunnel Protocol (L2TP) voluntary tunnel that extends your corporate network, such that the branch office appears to be part of your corporate subnet. VPN protects the data traffic over the L2TP tunnel.

With an L2TP voluntary tunnel, the remote branch office establishes a tunnel directly to the L2TP network server (LNS) of the corporate network. The functionality of the L2TP access concentrator (LAC) resides at the client. The tunnel is transparent to the remote client's Internet Service Provider (ISP), so the ISP is not required to support L2TP. If you want to read more about L2TP concepts, see Layer 2 Tunnel Protocol (L2TP).

Important: This scenario shows the security gateways attached directly to the Internet. The absence of a firewall is intended to simplify the scenario. It does not imply that the use of a firewall is not necessary. Consider the security risks involved any time you connect to the Internet.

Objectives

In this scenario, a branch office system connects to its corporate network through a gateway system with an L2TP tunnel protected by VPN.

The main objectives of this scenario are:

The branch office system always initiates the connection to the corporate office.
The branch office system is the only system at the branch office network that needs access to the corporate network. In other words, its role is that of a host, not a gateway, in the branch office network.
The corporate system a host computer in the corporate office network.

Details

The following figure illustrates the network characteristics for this scenario:

iSeries-A

Must have access to TCP/IP applications on all systems in the corporate network.
Receives dynamically assigned IP addresses from its ISP.
Must be configured to provide L2TP support.

iSeries-B

Must have access to TCP/IP applications on iSeries-A.
Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data endpoint of the VPN tunnel at the corporate site.
Connects to the Internet with IP address 205.13.237.6. This is the connection endpoint. That is, iSeries-B performs key management and applies IPSec to incoming and outgoing IP datagrams. iSeries-B connects to its subnet with IP address 10.6.11.1.

In L2TP terms, iSeries-A acts as the L2TP initiator, while iSeries-B acts as the L2TP terminator.

Configuration tasks

Assuming that TCP/IP configuration already exists and works, you must complete the following tasks: