Configuring L2TP over IPSec
This chapter describes how to use ASDM to configure L2TP over IPSec on the security appliance, and includes the following topics:
•Configuring L2TP over IPSec
The primary benefit of configuring L2TP with IPSec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, enabling remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required.
The configuration of L2TP with IPSec supports certificates using the pre-shared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. This summary of tasks assumes completion of IKE, as well as pre-shared keys or RSA signature configuration.
Note L2TP with IPSec on the security appliance allows the LNS to interoperate with the Windows 2000 L2TP client. Interoperability with LACs from Cisco and other vendors is currently not supported. Only L2TP with IPSec is supported, native L2TP itself is not supported on security appliance.
The minimum IPSec security association lifetime supported by the Windows 2000 client is 300 seconds. If the lifetime on the security appliance is set to less than 300 seconds, the Windows 2000 client ignores it and replaces it with a 300 second lifetime.
IPSec Transport and Tunnel Modes
By default, the security appliance uses IPSec tunnel mode—the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPSec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPSec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to receive the benefits of IPSec. Tunnel mode also protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.
However, the Windows 2000 L2TP/IPSec client uses IPSec transport mode—only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination of the packet. Figure 10-1 illustrates the differences between IPSec Tunnel and Transport modes.
Figure 10-1 IPSec in Tunnel and Transport Modes
Therefore, In order for Windows 2000 L2TP/IPSec clients to connect to the security appliance, you must configure IPSec transport mode for a transform (see Step 1). With this capability (transport), you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header will be encrypted, limiting the examination of the packet. Unfortunately, transmitting the IP header in clear text, transport mode allows an attacker to perform some traffic analysis.
Note The security appliance does not establish an L2TP/IPSec tunnel with Windows 2000 if either the Cisco VPN Client Version, version 3.x or version 2.5, is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN Client Version 2.5 from the Services panel in Windows 2000 (click Start > Programs > Administrative Tools > Services). Then restart the IPSec Policy Agent Service from the Services panel, and reboot the machine.
Configuring L2TP over IPSec
To configure the security appliance to accept L2TP over IPSec connections, follow these steps:
Note The security appliance does not establish an L2TP/IPSec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (choose Start > Programs > Administrative Tools > Services). Then restart the IPSec Policy Agent Service from the Services panel, and reboot the machine.
Step 1 Add an IPSec transform set, and specify IPSec to use transport mode rather than tunnel mode.
To do this, choose Configuration > VPN > IPSec > Transform Sets. Click Add. The Transform Sets pane displays (Figure 10-2).
Figure 10-2 Transform Sets Pane
Click Add. The Add Transform Set dialog displays (Figure 10-3).
Figure 10-3 Add Transform Set Dialog
Enter a name for the transform set. Select the ESP Encryption and ESP Authentication methods. Click OK.
Step 2 Configure a method of address assignment. This example uses IP address pools.
To create an IP address pool, choose Configuration > VPN > IP Address Management > IP Pools. Click Add. The Add IP Pool dialog appears (Figure 10-4).
Figure 10-4 Add IP Pool Dialog
Enter the name of the new IP address pool. Enter the starting and ending IP addresses, and enter the subnet mask and click OK.
Step 3 Assign the IP address pool to a tunnel group. To do this, choose Configuration >VPN > General > Tunnel Group. The Tunnel Group pane appears (Figure 10-5):
Figure 10-5 Tunnel Group Pane
Select a tunnel group in the table, and click Edit. The Edit Tunnel Group dialog appears.
Click the Client Address Assignment tab. The Client Address Assignment tab displays (Figure 10-6), containing the Address Pools group box.
Figure 10-6 Edit Tunnel Group, General Tab, Client Address Assignment Tab
In the Address Pools area, choose an address pool to assign to the tunnel group and click Add. The address pool appears in the Assigned pools box.
Step 4 Configure L2TP over IPSec as a valid VPN tunneling protocol for the group policy. Choose Configuration > VPN > General > Group Policy. The Group Policy pane displays (Figure 10-7).
Figure 10-7 Edit Internal Group Policy
Select a group policy, and click Edit. The Edit Group Policy dialog displays (Figure 10-8).
Figure 10-8 Edit Group Policy Dialog, General Tab
Click L2TP over IPSec to enable the protocol for the group policy. Click OK.
Step 5 Link the group policy to the tunnel group and enable Tunnel Group Switching (optional). Go back to the tunnel group configuration by choosing Configuration >VPN > General > Tunnel Group. The Tunnel Group pane appears. Choose the tunnel group and click Edit. The Edit Tunnel Group, General tab. Basic tab displays (Figure 10-9). Choose a group policy.
Tunnel Group Switching enables the security appliance to associate different users that are establishing L2TP over IPSec connections with different tunnel groups. Since each tunnel group has its own AAA server group and IP address pools, users can be authenticated through methods specific to their tunnel group.
With this feature, instead of sending just a username, the user sends a username and a group name in the format username@group_name, where "@" represents a delimiter that you can configure, and the group name is the name of a tunnel group that has been configured on the security appliance.
Tunnel Group Switching is enabled is enabled by Strip Group processing, which enables the security appliance to select the tunnel group for user connections by obtaining the group name from the username presented by the VPN client. The security appliance then sends only the user part of the username for authorization and authentication. Otherwise (if disabled), the security appliance sends the entire username, including the realm.
To enable Tunnel Group Switching, check Strip the realm from username before passing it on to the AAA server, and check Strip the group from username before passing it on to the AAA server. Click OK.
Figure 10-9 Edit Tunnel Group Dialog, General Tab, Basic Tab
Step 6 L2TP over IPSec uses PPP authentication protocols. Specify the protocols that are permitted for PPP connections on the PPP tab of the tunnel group (Figure 10-10). Table 10-1 shows the types of PPP authentication, and their characteristics.
Figure 10-10 Edit Tunnel Group, PPP Tab
Table 10-1 Authentication Type Characteristics
In response to the server challenge, the client returns the encrypted [challenge plus password] with a clear text username. This protocol is more secure than the PAP, but it does not encrypt data.
Enables EAP which permits the security appliance to proxy the PPP authentication process to an external RADIUS authentication server.
Microsoft CHAP, Version 1
Microsoft CHAP, Version, 2
Similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than clear text passwords as in CHAP. This protocol also generates a key for data encryption by MPPE.
Passes clear text username and password during authentication and is not secure.
Step 7 Specify a method to authenticate users attempting L2TP over IPSec connections. You can configure the security appliance to use an authentication server or its own local database. Do do this, click the Authentication tab of the tunnel group. The Authentication tab displays (Figure 10-11).
By default, the security appliance uses its local database—the Authentication Server Group drop-down list displays LOCAL. To use an authentication server, select one from the list.
Figure 10-11 Edit Tunnel Group, General Tab, Authentication Tab
Note The security appliance only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with EAP or CHAP, and the security appliance is configured to use the local database, that user will not be able to connect.
Step 8 Create a user in the local database. Choose Configuration >Properties > Device Administration > User Accounts. Click Add. The Add User Accounts dialog opens (Figure 10-12).
If the user is an L2TP client using Microsoft CHAP, Version 1 or Version 2, and the security appliance is configured to authenticate against the local database, you must enable the MSCHAP by clicking
User Authenticated using MSCHAP.
Figure 10-12 Add User Account Dialog
Step 9 Configure the interval (in seconds) between hello messages. Choose VPN > Configuration > General > VPN System Options. The VPN System Options pane displays (Figure 10-13). Enter a value in seconds in the L2TP Tunnel Keep-alive Timeout field.
Figure 10-13 VPN System Options
Step 10 (Optional) If you expect multiple L2TP clients behind a NAT device to attempt L2TP over IPSec connections to the security appliance, you must enable NAT traversal so that ESP packets can pass through one or more NAT devices.
To do this, choose Configuration > VPN > IKE > Global Parameters. The IKE Global Parameters pane displays (Figure 10-14). Ensure that ISAKMP is enabled on an interface. Check Enable IPSec over NAT-T and click OK.
Figure 10-14 IKE Global Parameters Pane