|
||
| KB | 0000571 | |
| Dated | 16/02/12 | |
| Revision | 1.02 | |
Cisco ASA5500 - L2TP over IPSEC VPN |
||
Problem |
||
When Cisco released version 7 of the operating system for PIX/ASA they dropped support for the firewall acting as a PPTP VPN device. Note: If you want to use PPTP you can still terminate PPTP VPNs on a Windows server, if you enable PPTP and GRE Passthrough on the ASA. But if you want to use the native Windows VPN client you can still use L2TP over IPSEC. I had a look around the net to work out how to do this and most decent articles are written using the older versions of the ASDM, and the CLI information I found on Cisco's site didn't help either. Bottom line: - Use the ASDM to configure L2TP VPN's, and there's so many bits you need to alter, you might as well have done it from command line anyway. Also the ASDM generates a lot of ugly code. (This will probably be fixed in future ASDM releases). What I'm using 1. Cisco ASA5505 version 8.4(3)and ASDM version 6.4(7). 2. Network behind the ASA 10.254.254.0/24. 3. IP addresses of the remote clients 192.168.100.1 to 10 (DNS 10.254.254.5). 4. Split tunnelling enabled. 5. Local (On the ASA) user authentication. 6. Authentication via Pre Shared Key 1234567890. |
||
Solution |
||
Configure the ASA 5500 for L2TP IPSEC VPNs1. Connect to the ASA, go to "enable mode", then to "Configure terminal mode" |
||
User Access Verification |
||
| 2. First we need to create a "Pool" of IP addresses for the remote client to use. | ||
| PetesASA(config)# ip local pool L2TP-Pool 192.168.100.1-192.168.100.10 | ||
3. Now to make sure the traffic that's going to travel over out VPN is not NATTED. Note: This is assuming that 192.168.100.0/24 is the remote VPN clients subnet, and 10.254.254.0/24 is the subnet BEHIND the ASA. |
||
| PetesASA(config)# object network Internal-Subnet PetesASA(config-network-object)# subnet 10.254.254.0 255.255.255.0 PetesASA(config-network-object)# object network L2TP-Subnet PetesASA(config-network-object)# subnet 192.168.100.0 255.255.255.248 PetesASA(config-network-object)# nat (inside,outside) source static Internal-Subnet Internal-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup |
||
| 4. Normally when a remote client is connected they will lose all other connections (including their other internet connections) while connected, to stop this you need to enable "Split Tunnelling". You will refer to this later but for now we just need to create an ACL. | ||
| PetesASA(config)# access-list Split-Tunnel-ACL standard permit 10.254.254.0 255.255.255.0 | ||
| 5. We need a "Transform Set" that will be used for "Phase 2" of the tunnel, I'm going to use AES encryption and SHA hashing, then set the transform type to "Transport". | ||
| PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport |
||
| 6. Remote VPNs usually use a "Dynamic Cryptomap", the following will create one that uses our transform set, then applies that to the firewalls outside interface. | ||
| PetesASA(config)# crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set PetesASA(config)# crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP PetesASA(config)# crypto map L2TP-VPN-MAP interface outside |
||
| 7. Then enable IKE (version 1) on the outside interface. And create a policy that will handle "Phase 1" of the tunnel, in this case 3DES for encryption, and SHA for hashing, and Diffie Hellman group 2 for the secure key exchange. | ||
| PetesASA(config)# crypto ikev1 enable outside PetesASA(config)# crypto ikev1 policy 5 PetesASA(config-ikev1-policy)# authentication pre-share PetesASA(config-ikev1-policy)# encryption 3des PetesASA(config-ikev1-policy)# hash sha PetesASA(config-ikev1-policy)# group 2 PetesASA(config-ikev1-policy)# lifetime 86400 PetesASA(config-ikev1-policy)# |
||
8. Create a group policy, that hold the following, DNS server IP(s) that will be leased to the remote clients. Tunnel type (L2TP IPSEC), enable spit tunnelling using the ACL we created in step 4. The domain name that will be given to the remote clients. The "intercept-dhcp enable" looks after a Windows client problem. And finally create a user and password. Note: In this example I'm using the ASA's local database of users for authentication. |
||
| PetesASA(config)# group-policy L2TP-Policy internal PetesASA(config)# group-policy L2TP-Policy attributes PetesASA(config-group-policy)# dns-server value 10.254.254.5 PetesASA(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec PetesASA(config-group-policy)# split-tunnel-policy tunnelspecified PetesASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel-ACL PetesASA(config-group-policy)# default-domain value petenetlive.com PetesASA(config-group-policy)# intercept-dhcp enable PetesASA(config-group-policy)# username petenetlive password password123 mschap |
||
| 9. Every tunnel needs a "Tunnel Group", You HAVE TO use the DefaultRAGroup (Unless you are securing things with certificates which we are not). This pulls in the IP Pool we created in step 2 and the policy we created in step 8. | ||
| PetesASA(config)# tunnel-group DefaultRAGroup general-attributes PetesASA(config-tunnel-general)# address-pool L2TP-Pool PetesASA(config-tunnel-general)# default-group-policy L2TP-Policy |
||
10. For the tunnel group, setup a shared key, and the authentication method for our clients. |
||
| PetesASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes PetesASA(config-tunnel-ipsec)# ikev1 pre-shared-key 1234567890 PetesASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes PetesASA(config-ppp)# no authentication chap PetesASA(config-ppp)# authentication ms-chap-v2 |
||
| 11. Finally save the new config. | ||
PetesASA# write mem 7424 bytes copied in 1.710 secs (7424 bytes/sec) |
||
Configure Windows VPN client for L2TP IPSEC connection to Cisco ASA 5500Note: Windows 7 x64 bit used. 1. Launch the "Network and Sharing Center" > Setup a new connection or network.
2. Connect to a workplace > Next.
3. Use my Internet connection (VPN).
4. Type in the name or IP address of the ASA, and a name for the connection. At this point select "Don't connect now" or it will fail. > Next.
5. Type in the user credentials > Create.
6. Close.
7. Now you need to edit the connection > Start > ncpa.cpl {enter}.
8. Right click the VPN connection you created earlier and select properties.
9. Security tab > Change the VPN type to "Layer 2 Tunnelling Protocol with IPsec (L2TP/IPsec) > Additional Settings and enter the pre shared key you set on the firewall (in the tunnel-group) >OK > Tick MSCHAP version 2 only.
10. Networking tab > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced.
11. Untick "Use default gateway on remote network" > OK > OK > OK.
12. Then launch the connection and enter your credentials.
13. Note: You may find that the connection WONT WORK until you have selected a network type (when prompted) even if you have the Windows Firewall disabled.
|
||
| Related Articles, References, Credits, Or External Links | ||
Cisco ASA Site to Site VPN's Site to Site ISAKMP VPN Set up Remote Access PPTP VPN's in server 2008 |
||
