L2TP VPN on a Cisco ASA

On November 7th, 2011, posted in: tech by jeff

Tags: , ,

In this post I’ll show how to set up a Cisco ASA to terminate VPN connections using L2TP/IPSec. This configuration can be used to connect the native VPN clients on Windows Server, Win XP, Win 7, Mac OS X, iPhone, iPad, and Android.

First we define the method of user authentication. Here I used NPS on a Windows domain, but you could also use the built in aaa functionality of the ASA.

dynamic-access-policy-record DfltAccessPolicy
aaa-server your_svr_name protocol radius
aaa-server your_svr_name (inside) host ip_address
timeout 5
key *******

Next we define the encryption and hash types needed for all the client operating systems and change the default from tunnel mode to transport mode, assign them to the crypto map, and set the interface.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_AES_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_MD5 TRANS_ESP_AES_SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

Now we define the IKE parameters to be used.

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
no vpn-addr-assign local

Last we create a group policy and tunnel group to define the tunnel values and authentication.

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value your_dns
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value your_domain
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
authentication-server-group your_svr_name
default-group-policy DefaultRAGroup
dhcp-server your_svr_name
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

And that’s the basics of setting up L2TP VPN using a user/pass and preshared key, the rest of the configuration depends on the placement and application of the ASA on your network.

No Responses to “L2TP VPN on a Cisco ASA”

Leave a Reply

Blog Categories