Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2
Configuring L2TP over IPSec
Downloads: This chapterpdf (PDF - 114.0KB) The complete bookPDF (PDF - 14.43MB) | Feedback

Configuring L2TP over IPsec

Table Of Contents

Configuring L2TP over IPsec

Information About L2TP over IPsec

IPsec Transport and Tunnel Modes

Licensing Requirements for L2TP over IPsec

Prerequisites for Configuring L2TP over IPsec

Guidelines and Limitations

Configuring L2TP over IPsec

Guidelines and Limitations

Configuration Examples for L2TP over IPsec

Feature History for L2TP over IPsec


Configuring L2TP over IPsec


This chapter describes how to configure L2TP over IPsec on the ASA. This chapter includes the following topics:

Information About L2TP over IPsec

Licensing Requirements for L2TP over IPsec

Prerequisites for Configuring L2TP over IPsec

Guidelines and Limitations

Configuring L2TP over IPsec

Configuration Examples for L2TP over IPsec

Feature History for L2TP over IPsec

Information About L2TP over IPsec

The primary benefit of configuring L2TP with IPsec/IKEv1 in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that no additional client software, such as Cisco VPN client software, is required.

To configure L2TP over IPsec, first configure IPsec transport mode to enable IPsec with L2TP. Then configure L2TP with a virtual private dial-up network VPDN group.

The configuration of L2TP with IPsec supports certificates using the pre-shared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. This summary of tasks assumes completion of IKE, as well as pre-shared keys or RSA signature configuration. See "Chapter 73 "Configuring Digital Certificates,"" for the steps to configure pre-shared keys, RSA, and dynamic crypto maps.


Note L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in such operating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported, native L2TP itself is not supported on ASA.
The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime.


IPsec Transport and Tunnel Modes

By default, the ASA uses IPsec tunnel mode—the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to receive the benefits of IPsec. Tunnel mode also protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

However, the Windows L2TP/IPsec client uses IPsec transport mode—only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination of the packet. Figure 62-1 illustrates the differences between IPsec Tunnel and Transport modes.

In order for Windows L2TP/IPsec clients to connect to the ASA, you must configure IPsec transport mode for a transform set using the crypto ipsec transform-set trans_name mode transport command. This command is the configuration procedure that follows, .

With this transport capability, you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header is encrypted, which limits the examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport mode allows an attacker to perform some traffic analysis.

Figure 62-1 IPsec in Tunnel and Transport Modes

Licensing Requirements for L2TP over IPsec

The following table shows the licensing requirements for this feature:

Model
License Requirement

ASA 5505

Base License: 10 sessions (25 combined IPSec and SSL VPN1 ).

Security Plus License: 25 sessions (25 combined IPSec and SSL VPN1).

ASA 5510

Base and Security Plus License: 250 sessions (250 combined IPSec and SSL VPN1).

ASA 5520

Base and Security Plus License: 750 sessions (750 combined IPSec and SSL VPN1).

ASA 5540

Base and Security Plus License: 5000 sessions (5000 combined IPSec and SSL VPN1).

ASA 5550 and 5580

Base and Security Plus License: 5000 sessions (5000 combined IPSec and SSL VPN1).

1 Although the maximum IPSec and SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the ASA, so be sure to size your network appropriately.


Prerequisites for Configuring L2TP over IPsec

Configuring L2TP over IPsec has the following prerequisites:

You can configure the default group policy (DfltGrpPolicy) or a user-defined group policy for L2TP/IPsec connections. In either case, the group policy must be configured to use the L2TP/IPsec tunneling protocol. If the L2TP/IPsec tunning protocol is not configured for your user-defined group policy, configure the DfltGrpPolicy for the L2TP/IPsec tunning protocol and allow your user-defined group policy to inherit this attribute.

You need to configure the default connection proflie (tunnel group), DefaultRAGroup, if you are performing "pre-shared key" authentication. If you are performing certificate-based authentication, you can use a user-defined connection profile that can be chosen based on certificate identifiers.

IP connectivity needs to be established between the peers. To test connectivity, try to ping the IP address of the ASA from your endpoint and try to ping the IP address of your endpoint from the ASA.

Make sure that UDP port 1701 is not blocked anywhere along the path of the connection.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single context mode. Multiple context mode is not supported.

Firewall Mode Guidelines

Supported only in routed firewall mode. Transparent mode is not supported.

Failover Guidelines

L2TP over IPsec sessions are not supported by stateful failover.

Configuring L2TP over IPsec

This section provides the required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol.

IKE phase 1—3DES encryption with SHA1 hash method.

IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.

PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).

Pre-shared key (only for iPhone).

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single context mode. Multiple context mode is not supported.

Firewall Mode Guidelines

Supported only in routed firewall mode. Transparent mode is not supported.

Failover Guidelines

L2TP over IPsec sessions are not supported by stateful failover.

Authentication Guidelines

The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy or authentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.

Supported PPP Authentication Types

L2TP over IPsec connections on the ASA support only the PPP authentication types shown in Table 62-2.

L2TP/IPsec Tunnel with Windows 2000

The ASA does not establish an L2TP/IPsec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. To work around this problem, disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click Start>Programs>Administrative Tools>Services). Then restart the IPSec Policy Agent Service from the Services panel and reboot the PC.

Table 62-1 AAA Server Support and PPP Authentication Types

AAA Server Type
Supported PPP Authentication Types

LOCAL

PAP, MSCHAPv1, MSCHAPv2

RADIUS

PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy

TACACS+

PAP, CHAP, MSCHAPv1

LDAP

PAP

NT

PAP

Kerberos

PAP

SDI

SDI


Table 62-2 PPP Authentication Type Characteristics

Keyword
Authentication Type
Characteristics
chap

CHAP

In response to the server challenge, the client returns the encrypted [challenge plus password] with a cleartext username. This protocol is more secure than the PAP, but it does not encrypt data.

eap-proxy

EAP

Enables EAP which permits the security appliance to proxy the PPP authentication process to an external RADIUS authentication server.

ms-chap-v1 
ms-chap-v2

Microsoft CHAP, Version 1

Microsoft CHAP, Version, 2

Similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE.

pap

PAP

Passes cleartext username and password during authentication and is not secure.


Detailed Steps

Configuration Examples for L2TP over IPsec


Feature History for L2TP over IPsec

Table 62-3 lists the release history for this feature.

Table 62-3 Feature History for L2TP over IPsec

Feature Name
Releases
Feature Information

L2TP over IPsec

7.2(1)

L2TP/IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform.

The primary benefit of configuring L2TP with IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, enabling remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required.

The following commands were introduced or modified: authentication eap-proxy, authentication ms-chap-v1, authentication ms-chap-v2, authentication pap, l2tp tunnel hello, vpn-tunnel-protocol l2tp-ipsec.