Cisco ASA – L2TP over IPSEC VPN

KB ID 0000571

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

When Cisco released version 7 of the operating system for PIX/ASA they dropped support for the firewall acting as a PPTP VPN device.

Note: If you want to use PPTP you can still terminate PPTP VPNs on a Windows server, if you enable PPTP and GRE Passthrough on the ASA.

But if you want to use the native Windows VPN client you can still use L2TP over IPSEC. I had a look around the net to work out how to do this and most decent articles are written using the older versions of the ASDM, and the CLI information I found on Cisco’s site didn’t help either.

What I’m using

1. Cisco ASA5525 version 9.2(4) and ASDM version 7.6(1).

2. Network behind the ASA 192.168.110.0/24.

3. IP addresses of the remote clients 192.168.198.1 to 254 (DNS 192.168.110.10).

4. Split tunnelling enabled.

5. Local (On the ASA) user authentication.

6. Authentication via Pre Shared Key 1234567890.

Configure the ASA 5500 for L2TP IPSEC VPNs from ASDM

1.  From within the ASDM > Wizards > VPN Wizards > IPSec (IKEv1) Remote Access VPN Wizard)

2. Next.

3. Tick Microsoft Windows Client using L2TP over IPSEC > Tick MS-CHAP-V2 ONLY  > Next.

4. Type in a pre-shared key > Next. 

5. Select LOCAL authentication > Next.

6. Enter a username/password to use for connection to the VPN > Next.

7.  Create a ‘VPN Pool‘ for the remote clients to use as a DHCP pool > OK > Next.

8. Enter your internal DNS server(s) and domain name > Next.

 

9. Set your internal network(s) > Tick “Enable Split tunnelling…” > Untick PFS > Next.

10. Finish.

11. Save the changes.

Configure the ASA 5500 for L2TP IPSEC VPNs from CLI

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification
        
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#

[/box]

2. First we need to create a “Pool” of IP addresses for the remote client to use.

[box]

PetesASA(config)# ip local pool L2TP-Pool 192.168.198.1-192.168.198.10

[/box]

3. Now to make sure the traffic that’s going to travel over our VPN is not NATTED.

Note: This is assuming that 192.168.100.0/24 is the remote VPN clients subnet, and 10.254.254.0/24 is the subnet BEHIND the ASA.

[box]

PetesASA(config)# object network Internal-Subnet
PetesASA(config-network-object)#  subnet 192.168.110.0 255.255.255.0
PetesASA(config-network-object)# object network L2TP-Subnet
PetesASA(config-network-object)#  subnet 192.168.198.0 255.255.255.248
PetesASA(config-network-object)# nat (inside,outside) source static Internal-Subnet Internal-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup  

[/box]

4. Normally when a remote client is connected they will lose all other connections (including their other internet connections) while connected, to stop this you need to enable “Split Tunnelling“. You will refer to this later but for now we just need to create an ACL.

[box]

PetesASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.110.0 255.255.255.0 

[/box]

5. We need a “Transform Set” that will be used for “Phase 2” of the tunnel, I’m going to use AES encryption and SHA hashing, then set the transform type to “Transport”.

[box]

PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport

[/box]

6. Remote VPNs usually use a “Dynamic Cryptomap”, the following will create one that uses our transform set, then applies that to the firewalls outside interface.

[box]

PetesASA(config)# crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
PetesASA(config)# crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
PetesASA(config)# crypto map L2TP-VPN-MAP interface outside

[/box]

7. Then enable IKE (version 1) on the outside interface. And create a policy that will handle “Phase 1” of the tunnel, in this case 3DES for encryption, and SHA for hashing, and Diffie Hellman group 2 for the secure key exchange.

[box]

PetesASA(config)# crypto ikev1 enable outside
PetesASA(config)# crypto ikev1 policy 5
PetesASA(config-ikev1-policy)#  authentication pre-share
PetesASA(config-ikev1-policy)#  encryption 3des
PetesASA(config-ikev1-policy)#  hash sha
PetesASA(config-ikev1-policy)#  group 2
PetesASA(config-ikev1-policy)#  lifetime 86400
PetesASA(config-ikev1-policy)#

[/box]

8. Create a group policy, that hold the following, DNS server IP(s) that will be leased to the remote clients. Tunnel type (L2TP IPSEC), enable spit tunnelling using the ACL we created in step 4. The domain name that will be given to the remote clients. The “intercept-dhcp enable” looks after a Windows client problem. And finally create a user and password.

Note: In this example I’m using the ASA’s local database of users for authentication.

[box]

PetesASA(config)# group-policy L2TP-Policy internal
PetesASA(config)# group-policy L2TP-Policy attributes
PetesASA(config-group-policy)#  dns-server value 192.168.110.10
PetesASA(config-group-policy)#  vpn-tunnel-protocol l2tp-ipsec
PetesASA(config-group-policy)#  split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)#  split-tunnel-network-list value Split-Tunnel-ACL
PetesASA(config-group-policy)#  default-domain value test.net
PetesASA(config-group-policy)#  intercept-dhcp enable
PetesASA(config-group-policy)# username testuser password password123 mschap

[/box] 

9. Every tunnel needs a “Tunnel Group”, You HAVE TO use the DefaultRAGroup (Unless you are securing things with certificates which we are not). This pulls in the IP Pool we created in step 2 and the policy we created in step 8.

[box]

PetesASA(config)# tunnel-group DefaultRAGroup general-attributes
PetesASA(config-tunnel-general)#  address-pool L2TP-Pool
PetesASA(config-tunnel-general)#  default-group-policy L2TP-Policy

[/box]

10. For the tunnel group, setup a shared key, and the authentication method for our clients.

Note: We are disabling CHAP and enabling MSCHAP v2.

[box]

PetesASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes
PetesASA(config-tunnel-ipsec)#  ikev1 pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes
PetesASA(config-ppp)#  no authentication chap
PetesASA(config-ppp)#  authentication ms-chap-v2

[/box]

11. Finally save the new config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]

Configure Windows VPN client for L2TP IPSEC connection to Cisco ASA 5500

Note: Windows 10 Enterprise used.

1. Start > Settings > Network and Internet.

2. VPN > Add a VPN Connection.

3. VPN Provider = Windows (Built-in) > Connection Name = (A Sensible name) > Server name or Address = Public IP/Hostname of the ASA > Scroll Down.

4. VPN Type = L2TP/IPSEC with pre-shared key > Pre Shared Key = {the one you set on the firewall in our example 1234567890} > Type of sign-in information = Username and Password.

Note: You may want to untick “Remember my sign-in information” To supply a username and password each time.

5. Start > ncpa.cpl {Enter} > Right click your VPN connection profile > Properties..

6. Security Tab > Allow These Protocols > Tick “Microsoft CHAP version 2 (MS-CHAP v2)” > OK.

7. You can now connect your VPN.

 

Related Articles, References, Credits, or External Links

Cisco ASA Site to Site VPN’s Site to Site ISAKMP VPN

Set up Remote Access PPTP VPN’s in server 2008

Using the Microsoft VPN client through Cisco ASA/PIX

Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

Cisco ASA – Converting IKEv1 VPN Tunnels to IKEv2

KB ID 0001196 

Problem

We’ve had IKEv2 support on Cisco ASA for a while, (since  version 8.4). I tend to setup site to site VPN tunnels at command line, and on the rare occasions I’m using the ASDM I normally just ignore the IKEv2 settings. Like all techies I know a way that works, so I will keep doing it that way.

What’s the difference between IKEv1 and IKEv2?

IKE version 2 is a lot more efficient and has a smaller network overhead, this is because it uses less messages to establish secure peers. Back with IKEv1 we had main mode (9 messages), and aggressive mode (6 messages), but IKEv2 only has one mode and that has only 4 messages. Back with IKEv1 both ends of the tunnel needed to use the same method of authentication (usually a shared secret (PSK) or an RSA Signature (Digital certificate). But with IKEv2 each end of the tunnel can use a different authentication method. Nat Traversal is automatically taken care of, and DoS Attacks can be mitigated by built in anti-replay, and cookie support to defend against flood attacks.

 

Solution

Migrating your tunnels from IKEv1 to IKEv2 is probably the easiest job you’ve been given, (it can be done with one command). But doing something, and understanding whats happening are two different things.

I usually use AES-256 and SHA for site to site VPNs so a typical config I would deploy would look like this;

[box]

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside

[/box]

Assuming both sites are OK and the tunnel is up, if we look to see what’s happening with ISAKMP we see something like this.

[box]

Petes-ASA(config)# show crypto isakmp
IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 123.123.123.123
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

[/box]

You do the entire conversion with one command ‘migrate l2l’, or if these are client to site VPNS you can use ‘migrate remote-access’

[box]

Petes-ASA(config)# migrate ?

configure mode commands/options:
  l2l            Migrate IKEv1 lan-to-lan configuration to IKEv2
  overwrite      Overwrite existing IKEv2 configuration
  remote-access  Migrate IKEv1 remote-access configuration to IKEv2/SSL
  
Petes-ASA(config)# migrate l2l
Petes-ASA(config)#

[/box]

Now ensure you do the same at the other end, (or ensure the other vendor supports IKEv2). BE AWARE: By default if you configure IKEv1 and IKEv2 the ASA will fall back to IKEv1 if it cannot negotiate IKEv2. At this point we already have a tunnel established, so we need to ‘bounce’ the tunnel to get it to re-esablish.

[box]

PetesASA(config)# clear crypto isakmp
PetesASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 87787277       123.123.123.123/500      2.2.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/7 sec
Child sa: local selector  10.0.0.0/0 - 10.0.0.255/65535
          remote selector 10.0.3.0/0 - 10.0.3.255/65535
          ESP spi in/out: 0xa5034be1/0x6c5de26e

[/box]

We are now running over IKEv2, to see how that’s changed the config see the differences below, highlighted in blue.

[box]

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-MD5
 protocol esp encryption aes
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-SHA
 protocol esp encryption aes-192
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-SHA
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
 protocol esp encryption 3des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-MD5
 protocol esp encryption aes-192
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-MD5
 protocol esp encryption des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-SHA
 protocol esp encryption des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-MD5
 protocol esp encryption aes-256
 protocol esp integrity md5
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
!

[/box]

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 Site to Site VPN (From CLI)

VPN Problem Cisco PIX v6 to Cisco ASA 5500

KB ID 0000761 

Problem

I found this out purely by accident today, while replacing an old PIX 506E that had died with an ASA 5505. The client’s other site still had a PIX 506E (Running 6.3(5)). I was setting up the VPN, and noticed something that WOULD have been a problem if I had not spotted it.

Solution

Essentially the older PIX firewalls are set for 3DES encryption, MD5 Hashing and Diffie Hellman 2. After version 8.4 the ASA does not have a policy set for this, you need to create one. If I had simply gone ahead, phase 1 of the VPN tunnel would not have established and I would have seen;

[box]

Password:
Type help or ‘?’ for a list of available commands.
Petes-ASA> en
Password: ********
Petes-ASA#debug crypto isakmp 200

<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>

Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=ce4a3ffe) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Information Exchange processing failed

<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>

[/box]

And phase 1 would have sat saying, MM_WAIT_MSG2. So you need to create a matching phase 1 (ISAKMP) policy on the ASA.

Create an IKE version 1 Policy via Command Line

1. Connect to the ASA and issue the following commands;

[box]Sent username “pete”
Type help or ‘?’ for a list of available commands.
Petes-ASA>
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)#crypto ikev1 policy 1
Petes-ASA(config-ikev1-policy)# authentication pre-share
Petes-ASA(config-ikev1-policy)# encryption 3des
Petes-ASA(config-ikev1-policy)# hash md5
Petes-ASA(config-ikev1-policy)# group 2
Petes-ASA(config-ikev1-policy)# lifetime 86400
Petes-ASA(config-ikev1-policy)# exit
Petes-ASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

Create an IKE version 1 Policy via ASDM

If you are creating a Site to Site VPN tunnel from the ASDM wizard you can add the policy during step 6, like so;

Or to add it after the tunnel has been created, Configuration > Site-to-Site VPN > Advanced > IKE Policies > Add > The priority may be changed, but set the rest of the settings as shown. > OK > Apply > File > Save Running Configuration to Flash.

Related Articles, References, Credits, or External

Links

Cisco ASA5500 Site to Site VPN from ASDM

Cisco PIX 500 – IPSEC Site to Site VPNs (v6)