Configuring ASA for L2TP-IPSec VPN Connection

• Tweet

• Tweet

Many of us use our Cisco ASAs as VPNs, which is part of what they do, and they are very good at what they do. For the most part, we use the ASDM wizard, set up our VPN, and bing-bang-boom connect with the Cisco VPN client. Easy peasy, no need to touch that CLI.

Some businesses, however, don’t want to use the Cisco VPN client. They want native access to their VPN from Windows/Mac clients, and the best way to do that is with an L2TP/IPSec VPN connection! This, unfortunately, has its quirks (Offender #1 being that the ASDM VPN wizard doesn’t set one up perfectly through the GUI) so let’s get down to the nitty gritty!

(Note: This tutorial will be focused on setting up a pre-shared key VPN connection. Certificate authentication requires a ton more work and is outside the scope of VPN setup. Some OSes, like Android, do not like PSK L2TP VPN connections and you will have to use certificate-based authentication if you want Android to be able to VPN in)

Phase 1: I like IKE!

For the first part of this, we’re going to be setting up the Phase 1 IKE authentication. Here’s the code (to be run from the config prompt, obviously):

crypto isakmp policy 10
authentication pre-share
encryption 3des
has sha
group 2
lifetime 86400
crypto isakmp enable outside
crypto isakmp nat-traversal 20

Phase 2: IPSec connection

This sets up the phase 2 handshake:

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_dyn_map interface outside
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key mypresharedkey

tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2

You’ll notice these lines are very similar to that of a regular Cisco ASA IPSec VPN; the big difference here is that, for an L2TP connection, you have to use a transform set instead of a tunnel set (as specified in the first two lines). Other than that, pretty standard as far as IPSec crypto maps go. You have to use DefaultRAGroup because L2TP clients don’t allow you to specify a group policy; they default to “DefaultRAGroup” and so that’s what you have to work with when setting up an L2TP VPN.

Authenticating Users

(This assumes we’re authenticating users against the local database)

user my_user pass my_pass
user my_user attributes
vpn-group-policy DfltGrpPolicy
vpn-tunnel-protocol ipsec l2tp-ipsec

Note here that many setups have issues with using anything other than the DfltGrpPolicy, so use that if your clients have trouble connecting. Otherwise, you can specify your own group policy and put it in place of that one.

And there you go! You now have a working (albeit very basic) ASA L2TP VPN setup!