Cisco ASA – L2TP over IPSEC VPN

KB ID 0000571

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

When Cisco released version 7 of the operating system for PIX/ASA they dropped support for the firewall acting as a PPTP VPN device.

Note: If you want to use PPTP you can still terminate PPTP VPNs on a Windows server, if you enable PPTP and GRE Passthrough on the ASA.

But if you want to use the native Windows VPN client you can still use L2TP over IPSEC. I had a look around the net to work out how to do this and most decent articles are written using the older versions of the ASDM, and the CLI information I found on Cisco’s site didn’t help either.

What I’m using

1. Cisco ASA5525 version 9.2(4) and ASDM version 7.6(1).

2. Network behind the ASA 192.168.110.0/24.

3. IP addresses of the remote clients 192.168.198.1 to 254 (DNS 192.168.110.10).

4. Split tunnelling enabled.

5. Local (On the ASA) user authentication.

6. Authentication via Pre Shared Key 1234567890.

Configure the ASA 5500 for L2TP IPSEC VPNs from ASDM

1.  From within the ASDM > Wizards > VPN Wizards > IPSec (IKEv1) Remote Access VPN Wizard)

2. Next.

3. Tick Microsoft Windows Client using L2TP over IPSEC > Tick MS-CHAP-V2 ONLY  > Next.

4. Type in a pre-shared key > Next. 

5. Select LOCAL authentication > Next.

6. Enter a username/password to use for connection to the VPN > Next.

7.  Create a ‘VPN Pool‘ for the remote clients to use as a DHCP pool > OK > Next.

8. Enter your internal DNS server(s) and domain name > Next.

 

9. Set your internal network(s) > Tick “Enable Split tunnelling…” > Untick PFS > Next.

10. Finish.

11. Save the changes.

Configure the ASA 5500 for L2TP IPSEC VPNs from CLI

1. Connect to the ASA, go to “enable mode”, then to “Configure terminal mode”

[box]

User Access Verification
        
Password:
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA# configure Terminal
PetesASA(config)#

[/box]

2. First we need to create a “Pool” of IP addresses for the remote client to use.

[box]

PetesASA(config)# ip local pool L2TP-Pool 192.168.198.1-192.168.198.10

[/box]

3. Now to make sure the traffic that’s going to travel over our VPN is not NATTED.

Note: This is assuming that 192.168.100.0/24 is the remote VPN clients subnet, and 10.254.254.0/24 is the subnet BEHIND the ASA.

[box]

PetesASA(config)# object network Internal-Subnet
PetesASA(config-network-object)#  subnet 192.168.110.0 255.255.255.0
PetesASA(config-network-object)# object network L2TP-Subnet
PetesASA(config-network-object)#  subnet 192.168.198.0 255.255.255.248
PetesASA(config-network-object)# nat (inside,outside) source static Internal-Subnet Internal-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup  

[/box]

4. Normally when a remote client is connected they will lose all other connections (including their other internet connections) while connected, to stop this you need to enable “Split Tunnelling“. You will refer to this later but for now we just need to create an ACL.

[box]

PetesASA(config)# access-list Split-Tunnel-ACL standard permit 192.168.110.0 255.255.255.0 

[/box]

5. We need a “Transform Set” that will be used for “Phase 2” of the tunnel, I’m going to use AES encryption and SHA hashing, then set the transform type to “Transport”.

[box]

PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set esp-aes esp-sha-hmac
PetesASA(config)# crypto ipsec ikev1 transform-set L2TP-IKE1-Transform-Set mode transport

[/box]

6. Remote VPNs usually use a “Dynamic Cryptomap”, the following will create one that uses our transform set, then applies that to the firewalls outside interface.

[box]

PetesASA(config)# crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set L2TP-IKE1-Transform-Set
PetesASA(config)# crypto map L2TP-VPN-MAP 20 ipsec-isakmp dynamic L2TP-MAP
PetesASA(config)# crypto map L2TP-VPN-MAP interface outside

[/box]

7. Then enable IKE (version 1) on the outside interface. And create a policy that will handle “Phase 1” of the tunnel, in this case 3DES for encryption, and SHA for hashing, and Diffie Hellman group 2 for the secure key exchange.

[box]

PetesASA(config)# crypto ikev1 enable outside
PetesASA(config)# crypto ikev1 policy 5
PetesASA(config-ikev1-policy)#  authentication pre-share
PetesASA(config-ikev1-policy)#  encryption 3des
PetesASA(config-ikev1-policy)#  hash sha
PetesASA(config-ikev1-policy)#  group 2
PetesASA(config-ikev1-policy)#  lifetime 86400
PetesASA(config-ikev1-policy)#

[/box]

8. Create a group policy, that hold the following, DNS server IP(s) that will be leased to the remote clients. Tunnel type (L2TP IPSEC), enable spit tunnelling using the ACL we created in step 4. The domain name that will be given to the remote clients. The “intercept-dhcp enable” looks after a Windows client problem. And finally create a user and password.

Note: In this example I’m using the ASA’s local database of users for authentication.

[box]

PetesASA(config)# group-policy L2TP-Policy internal
PetesASA(config)# group-policy L2TP-Policy attributes
PetesASA(config-group-policy)#  dns-server value 192.168.110.10
PetesASA(config-group-policy)#  vpn-tunnel-protocol l2tp-ipsec
PetesASA(config-group-policy)#  split-tunnel-policy tunnelspecified
PetesASA(config-group-policy)#  split-tunnel-network-list value Split-Tunnel-ACL
PetesASA(config-group-policy)#  default-domain value test.net
PetesASA(config-group-policy)#  intercept-dhcp enable
PetesASA(config-group-policy)# username testuser password password123 mschap

[/box] 

9. Every tunnel needs a “Tunnel Group”, You HAVE TO use the DefaultRAGroup (Unless you are securing things with certificates which we are not). This pulls in the IP Pool we created in step 2 and the policy we created in step 8.

[box]

PetesASA(config)# tunnel-group DefaultRAGroup general-attributes
PetesASA(config-tunnel-general)#  address-pool L2TP-Pool
PetesASA(config-tunnel-general)#  default-group-policy L2TP-Policy

[/box]

10. For the tunnel group, setup a shared key, and the authentication method for our clients.

Note: We are disabling CHAP and enabling MSCHAP v2.

[box]

PetesASA(config-tunnel-general)# tunnel-group DefaultRAGroup ipsec-attributes
PetesASA(config-tunnel-ipsec)#  ikev1 pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# tunnel-group DefaultRAGroup ppp-attributes
PetesASA(config-ppp)#  no authentication chap
PetesASA(config-ppp)#  authentication ms-chap-v2

[/box]

11. Finally save the new config.

[box]

PetesASA# write mem
Building configuration...
Cryptochecksum: 79745c0a 509726e5 b2c66028 021fdc7d
7424 bytes copied in 1.710 secs (7424 bytes/sec)
[OK]
PetesASA#
[/box]

Configure Windows VPN client for L2TP IPSEC connection to Cisco ASA 5500

Note: Windows 10 Enterprise used.

1. Start > Settings > Network and Internet.

2. VPN > Add a VPN Connection.

3. VPN Provider = Windows (Built-in) > Connection Name = (A Sensible name) > Server name or Address = Public IP/Hostname of the ASA > Scroll Down.

4. VPN Type = L2TP/IPSEC with pre-shared key > Pre Shared Key = {the one you set on the firewall in our example 1234567890} > Type of sign-in information = Username and Password.

Note: You may want to untick “Remember my sign-in information” To supply a username and password each time.

5. Start > ncpa.cpl {Enter} > Right click your VPN connection profile > Properties..

6. Security Tab > Allow These Protocols > Tick “Microsoft CHAP version 2 (MS-CHAP v2)” > OK.

7. You can now connect your VPN.

 

Related Articles, References, Credits, or External Links

Cisco ASA Site to Site VPN’s Site to Site ISAKMP VPN

Set up Remote Access PPTP VPN’s in server 2008

Using the Microsoft VPN client through Cisco ASA/PIX

Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

PPTP VPN – Enable Split Tunneling

 

KB ID 0000997 

Problem

I was asked yesterday, “When you get five minutes, I need split tunneling setup, when I VPN into a network I lose Internet connectivity”. On inspection he was using the Microsoft VPN client, I jumped on the VPN device to discover it was a Cisco IOS router.

What I discovered was, unlike the firewall VPN’s I’m used to, you DONT set split tunneling up on the VPN device, you set it up on the client, (and its a bit clunky – sorry!)

Solution

1. Windows Key + R > ncpa.cpl {Enter} > Locate the VPN connection > Right Click > Properties > Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced.

2. Untick “Use default gateway on remote network” > OK > OK > OK.

BE AWARE: There is a downside to doing this, as site visitor Clayton Webb points out;

“Unchecking that default gateway is a godsend, until end users use their laptops for torrents, malware, etc. If you have the time I’d recommend a direct access setup for company equipment. VPN w/ NPS health validators for non-company equipment.”

I agree, I would only ever see this as a temporary solution for the ‘technically savvy’.

3. WARNING: At this point you may find you can connect to the VPN, and your Internet now works, (hooray!) But you can no longer talk to any servers or systems on the site you are VPN’d into. This is a Windows routing problem, lets take a look at what IP address I’m getting from the VPN Device.

Above you can see Ive got an IP address of 192.168.2.207, and in my case I don’t have a default gateway (this is not unusual, yours may be the same or you may have a default gateway as well).

4. If you open a command window and issue a ‘route print’ command, you can see the reason I don’t have a default gateway is my gateway is may actual IP address (again this is not unusual, In my case I need to remember 192.168.2.207, if you have a different gateway listed thats the one you need to take notice of).

5. Run a command window (as administrator) and issue a ‘route add‘, command like below.

Note: -P Adds the route persistently (will remain after a reboot). The network you are trying to get to will probably be a different network, to the network IP you are being leased to you by the VPN device. If you have multiple networks you will need a ‘route add’ for each one.

6. To demonstrate; below I can’t get to 192.168.1.1, I then enter the ‘route add’ command, and after that I can get to 192.168.1.1.

Note: I’m not adding my route as persistent!

 

Related Articles, References, Credits, or External Links

Cisco ASA – Enable Split Tunnel for IPSEC / SSLVPN / WEBVPN Clients

Set up Remote Access PPTP VPN’s in Windows Server

KB ID 0000103

Problem

You want to provide access to your corporate network for your remote users.

Solution

Installing the Server Role

1. Start > Server Manager (or Start > run > CompMgmtLauncher.exe (Enter) > Add Roles > Select Network Policy and Access Services > Next > Next

2. Select Remote Access Service > Next > Install > The Service will take awhile to install (Coffee time!).

3. When Done > Close.

4. Start > Administrative tools > Routing and Remote Access > The Server will have a red “down” Arrow on it > Right Click the Server and Select “Configure and enable routing and remote access”

5. Next > Select “Custom Configuration” > Next. (Note: I’m selecting this because I only Have One NIC and I want to use this NIC).

6. VPN Access > Next.

7. When Promoted Select “Start Service” > The Service will start > you can now close the Routing and Remote Access Console.

8. Ensure the user who needs to connect has been granted (either directly or through Policy).

Firewall Note:

For this to work two things need to happen, TCP Port 1723 needs to be allowed (or Port) forwarded to the Server. And GRE (Generic Routing Encapsulation) needs to be allowed to the server. GRE is a PROTOCOL and NOT a Port so you cannot simply Port forward it, it need to be allowed directly to the server, so the server needs a public IP address to allow it to.

Cisco PIX / ASA Users Click Here

Set Up the Client PC’s

Vista & Windows 7

1. Start > Control Panel > Network and sharing Center > Connect to a Network > Set up a Connection or Network > Connect To a Workplace > Next.

2. Use My Internet Connection (VPN) > Enter the public IP address of the VPN server > Enter a Name for the Connection > Next > Enter your Domain Logon details > Connect.

Note sometimes you need to put the username in user_name@domain_name.com format

Windows 2000, 2003, & XP

1. Start > run > NCPA.CPL {Enter}> File > New Connection > Next > Connect to the Network at my workplace > Next.

2. Virtual Private Network Connection > Next.

3.Enter the Public IP Address of the VPN Server. > Next > Select who can use the connection > Next > Finish > Enter the username and password > Connect.

Related Articles, References, Credits, or External Links

Using the Microsoft VPN client through Cisco ASA/PIX

Using the Microsoft VPN client through Cisco ASA/PIX

KB ID 0000009

Problem

You cannot open a Microsoft client VPN tunnel with a cisco PIX or ASA in front of you on the network.

Solution

You need the following open (outbound)

  • TCP port 1723 (thats pptp)
  • Protocol 47 (GRE) – note thats a PROTOCOL and NOT a PORT

Allow PPTP Client through the ASA via Command Line

1. Connect to the ASA then add PPTP inspection to the default inspection map.

[box]

PetesASA>
PetesASA> en
Password: ********
PetesASA# conf t
PetesASA(config)# policy-map global_policy
PetesASA(config)# (config-pmap)# class inspection_default
PetesASA(config)# inspect pptp
PetesASA(config)# 

[/box]

2. Then allow the GRE protocol and TCP Port 1723 outbound.

[box]

PetesASA(config)# access-list outbound extended permit gre any any
PetesASA(config)# access-list outbound extended permit tcp any any eq pptp
PetesASA(config)# access-group outbound in interface inside 

[/box]

3. Save the changes.

[box]

PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425 

8695 bytes copied in 3.670 secs (2898 bytes/sec) [OK] PetesASA(config)#

[/box]

Allow PPTP Client through the ASA via ASDM (GUI)

1. Connect to the ASDM GUI interface. Configuration > Firewall > Access Rules > Add > Inside Interface > Allow > Source = Any > Detination = Any > Service = GRE > OK > Apply.

2. In the same window > Add another rule > This time seelct TCP > Then select ‘More Options’.

3. Change the Source/Service to tcp/pptp > OK > Apply.

4. To add PPTP inspection >Service Policy Rules > Seelct > Inspection_Default > Edit > Rule Actions > Tick PPTP > OK.

5. Finally to save your work > File > Save running configuration to flash

 

Related Articles, References, Credits, or External Links

Original Article Written 18/09/08