Video Tutorial Cisco ASA – Add L2TP over IPSec VPN to Your ASA and Configure Your Windows Clients to Connect
Alrighty! Now that 64 bit windows is getting more prevalent, it is getting harder to get the Cisco IPSec client installed. This is because the IPSec client is 32 bit and also needs to install a 32 bit driver, which won’t work on a 64 bit system. Windows 7 does have an XP compaitibility mode that works around this, but for you XP and Vista folks running 64 bit, this won’t do you any good. So a viable option is to use the anyconnect client with SSL VPN, though a 50 pack of VPN clients will cost you around $3K…no thanks! What you can do is use L2TP on your ASA.
L2TP is built off of PPP and by itself provides no encryption. What the ASA does is to encrypt the transit with IPSec, thus protecting the payload. Windows has conveniently included an L2TP client right in the OS, so there is nothing to install, just a few things to configure. The configuration of the ASA and the client is covered in the video. There are a couple of gotchas in the configuration, namely the group policy needing IPSec checked as well as dropping PFS in the crypto map. Be sure to look out for both.
Click the link below for the video!
The below video has me configuring this from a blank box, so you will see me get an IP on the ASA and then enabling ASDM.
Another quick note:
If you have multiple dynamic crypto maps, then you need to make your L2TP crypto map has a higher priority than the others. You will often see “All IPSec SA proposals found unacceptable” because of this problem.
L2TP Dynamic Priority
If you run the Cisco VPN Client and L2TP, then you need to add the triple-des-md5 transform set to the low priority L2TP crypto map. Other wise it won’t work!
Add esp-3des-md5 for your Cisco VPN Client
*EDIT* If you want windows Vista or 7 clients you also need to add a transformset that is AES-128/SHA. Make it the second entry in the list…between your TRANS-esp-3des entry and your standard 3des-esp.
User Authentication:
If you are doing local authentication, be sure to check use MSCHAP.
Check use MSCHAP
If you are doing TACACS+ authentication, not that it only supports MSCHAP version 1. You will have to set your clients to use V1. I suggest using RADIUS so you can use MSCHAP V2.
I hope you found this useful! Please leave me any questions or comments below!
Is it possible to setup the config to perform group authentication with L2TP over IPSEC?
Scott,
This is L2TP over IPSec 🙂 This is 3DES-ESP-SHA1.
Great tutorial. I’ve been using this same setup (3des/md5)for awhile now and it works great for XP, but I can’t seem to get it to work with Vista or Windows 7. I was hoping your video would show the client config fot the newer OSs. Maybe they default to AES or SHA or something like that?
Let me see if I can’t get them…:)
Very good article.
In fact i was about to write a tutorial on L2TP over IPSEC for ASA and googled the topic to find your blog.
Well, now I am in a dilemma… Should i or shouldn’t I (using CLI in my case) 🙂
Anyway once again, very good tutorial.
Wow, a real CCIE commenting on my blog…I’m sure that will be the first and the last…hehehe 😉 Thanks for popping by. If you do, drop me a line and we can have symmetric links.
Hi,
What I do not want to use any encryption?
What I mean is, I do not request for IPSEC on connection, will it still open the VPN?
I got a asa5540, on the configure shows 750 VPN peers, without IPSEC, how many can I open? Spec says 5000?
Thanks, great page you have here.
Louis
Luis,
Thanks for the question. I’ve never run more than a small handful of users at once via L2TP…sorry!
Hi Greg, Thanks for the video, works prefect with Windows XP.
Got another machine with Vista 32bit, struggling to connect, have you got an idea why not?
Thanks,
Hi,
Great tutorial. My dilemma at the moment is working out how to connect multiples L2TP clients AND associate the clients to different local IP Address Pools configured locally on the firewall (ASA5510). The Group Policy (tunnel group) is configured for Pre-Shared secret (just like the tutorial) and the users are created locally in LOCAL AAA server. I know that you can associate each user to a particular tunnel group (TG) policy, at which point you can create multiple TGs that associate to different IP Pools. Problem now is that you cannot associate (lock) a single DefaultRAGroup Group Policy to multiple TGs. I have tried this method by creating multiple TGs an associate each one to different IP Pools. Once this is done, I’ve disassociate the IP Pool from the DefaultRAGroup TG (otherwise known as Connection Profiles in later OS) so the IP Pool for this TG is nothing (empty). Did the L2TP test and the firewall returned with error message “IPAA: Error freeing IP address 0.0.0.0”. Also noted that both Phase1 and Phase2 are completed which tells me that ISAKMP and IPSec are successful, but the firewall simply does not know how to dish out IP address to the client. Thanks for your reply.
Luis,
I would say check your software firewall and virus protection. I’ve connected up with Vista before with no issues.
Vincent,
I’ve not attempted this configuration, so I don’t have a direct answer for you. I most likely won’t be able to free up time to test, either.
Just out of curiosity, what version of code are you running?
Hi Greg
I’m running version 8.2(1) with ASDM version 6.2(1). I’ve cleared all the RA VPN config on the firewall and start again fresh. Now all I have is DefaultRAGroup (tunnel policy) and group policy DfltGrpPolicy. Configured them appropriately and retest. The error message ‘IPAA: Error freeing address 0.0.0.0, not found’ keeps on appearing and the only way to get rid of this error is to apply a DHCP Pool to the tunnel policy. command is below:
tunnel-group DefaultRAGroup general-attributes
address-pool IP-Pool1 IP-Pool2.
The client will connect but the firewall will dish out IP address from the first pool only. I guess that it will continue to do this until the pool is full then move onto the next one.
Hi Greg
I got it working !!!!! not exactly the way that I’d like to be but it works. Here’re something that I’d like to share.
1. Forget about using DHCP since I mentioned before that the DefaultRAGroup tunnel would require at least one IP Pool specified for DHCP to dish out addresses.
2. Edit the tunnel policy and tunnel group as usual to accept L2TP clients.
3. When creating LOCAL user accounts, make sure that the Dedicated IP Address field is filled in with the /32 IP address of the client. The subnet mask I’ve specified is the subnet mask that covers the IP VPN Pool for that particular user. EG user1: 10.10.10.1 255.255.255.248 and user2: 10.10.10.9 255.255.255.248.
4. Enable the command ‘vpn-addr-assign aaa’ global config command.
That should be it.
Thanks for adding your fix Vincent!
Greg, I’m running ASA version 8.0(4) and am still unable to connect an XP client using pptp. In the connection wizard, I’m unable to remove the dh group 2 from the configuration. Is that a problem? I have removed pfs from the crypto map and enabled ipsec on the DefaultRAGroup. I get phase 2 completed on the debug log on ASA but also get “Removing peer from correlator table failed. No match” Can you help?
Greg,
Try disabling the XP firewall and any virus protection first. See if it is a windows issue before you pull your hair out on the ASA.
Am very grateful for this video. You really saved me lots of stress.
NP kiddo.
The video is excellent and got me most of the way. However I am experiencing issues with Windows 7 x64 connecting. If I set a public address on the client end (i.e. no client side NAT/PAT) it works great. But if I use a private address (lease from home DSL) the connection fails this appears to be a client side issue with NAT-T but I am stumped. Any insights? Would be deeply appreciated.
This is what you are looking for http://support.microsoft.com/kb/926179/
Great post Greg…
It helped me a lot.
kind regards /// Neirival
Glad to be of help sir 🙂
This tutorial worked great for XP clients, but I never got windows 7 clients to connect. After much head scratching, I came upon this article from microsoft.
http://support.microsoft.com/kb/942429
The key paragraph is:
Windows XP and Windows Server 2003 use a randomly generated message ID during phase 2 quick mode negotiation. Therefore, the problem does not occur on these operating systems.
Windows Vista uses a monotonically increasing sequence number for phase 2 quick mode negotiation. This behavior more strictly verifies incoming message IDs from different Windows Vista-based computers. This behavior also helps prevent untrusted phase 2 replay attacks. Random message IDs cannot be used to effectively implement such attacks
Did anyone fine a way around this limitation?
@Chris
You might need to add an ESP-AES-128-SHA transform set to your dynamic policy. I believe they’ve changed it after XP.
Thank you very much!!! I think this is the 1st time I’ve ever posted on an article before. But I was looking all over for this. Once I adjusted (added) the transform-set to AES – Sha on my ASA I was able to connect using Windows 7 machines. Thank you!!
@Ben
Much appreciated for the feedback sir. 🙂
I’ve tried adding AES-128/SHA per the original article update and per Greg’s response to my post. Still no luck. I’ve tried asa software version 8.2 and 8.4. Cisco TAC has been working on it for about four hours. They say it should work, but they’re having difficulty also. Curious that it works for some but not others. I’ll post their solution if they ever figure it out.
@ben. If you have additional details I’d appreciate it.
@Chris
Also try ordering your aes-128 up to the top.
Great post. Solved my problem about “All IPSec SA proposals found unacceptable…”
Below is my config for the transformer set on ASA
crypto ipsec transform-set L2TP-ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set L2TP-ESP-3DES-SHA mode transport
crypto dynamic-map outside_dyn_map 30 set transform-set L2TP-ESP-3DES-SHA
Do you know if Cisco still supports L2TP? We’d like our network suppliers to implement this solution but they thought Cisco had sun setted support for it. Thanks!
@Toni
To the best of my knowledge it IS still supported.