{"id":805,"date":"2009-10-12T18:59:42","date_gmt":"2009-10-13T00:59:42","guid":{"rendered":"http:\/\/gregsowell.com\/?p=805"},"modified":"2010-12-02T16:16:08","modified_gmt":"2010-12-02T22:16:08","slug":"video-tutorial-cisco-asa-%e2%80%93-add-l2tp-vpn-to-your-asa-and-configure-your-windows-clients-to-connect","status":"publish","type":"post","link":"https:\/\/gregsowell.com\/?p=805","title":{"rendered":"Video Tutorial Cisco ASA \u2013 Add L2TP over IPSec VPN to Your ASA and Configure Your Windows Clients to Connect"},"content":{"rendered":"<p>Alrighty! Now that 64 bit windows is getting more prevalent, it is getting harder to get the Cisco IPSec client installed. This is because the IPSec client is 32 bit and also needs to install a 32 bit driver, which won\u2019t work on a 64 bit system. Windows 7 does have an XP compaitibility mode that works around this, but for you XP and Vista folks running 64 bit, this won\u2019t do you any good. So a viable option is to use the anyconnect client with SSL VPN, though a 50 pack of VPN clients will cost you around $3K\u2026no thanks! What you can do is use L2TP on your ASA.<\/p>\n<p>L2TP is built off of PPP and by itself provides no encryption. What the ASA does is to encrypt the transit with IPSec, thus protecting the payload. Windows has conveniently included an L2TP client right in the OS, so there is nothing to install, just a few things to configure. The configuration of the ASA and the client is covered in the video. There are a couple of gotchas in the configuration, namely the group policy needing IPSec checked as well as dropping PFS in the crypto map. Be sure to look out for both.<\/p>\n<p>Click the link below for the video!<br \/>\n<!--more--><\/p>\n<p>The below video has me configuring this from a blank box, so you will see me get an IP on the ASA and then enabling ASDM.<\/p>\n<p><center><OBJECT CLASSID=\"clsid:D27CDB6E-AE6D-11cf-96B8-444553540000\" WIDTH=\"907\" HEIGHT=\"777\" CODEBASE=\"http:\/\/active.macromedia.com\/flash5\/cabs\/swflash.cab#version=7,0,0,0\"><br \/>\n<PARAM NAME=movie VALUE=\"\/wink\/asaL2TP\/asaL2TP.swf\"><br \/>\n<PARAM NAME=play VALUE=true><br \/>\n<PARAM NAME=loop VALUE=false><br \/>\n<PARAM NAME=quality VALUE=low><br \/>\n<EMBED SRC=\"\/wink\/asaL2TP\/asaL2TP.swf\" WIDTH=907 HEIGHT=777 quality=low loop=false TYPE=\"application\/x-shockwave-flash\" PLUGINSPAGE=\"http:\/\/www.macromedia.com\/shockwave\/download\/index.cgi?P1_Prod_Version=ShockwaveFlash\"><br \/>\n<\/EMBED><br \/>\n<\/OBJECT><\/center><br \/>\n<SCRIPT src='\/wink\/asaL2TP\/asaL2TP.js'><\/script><\/p>\n<p>Another quick note:<br \/>\nIf you have multiple dynamic crypto maps, then you need to make your L2TP crypto map has a higher priority than the others. You will often see &#8220;All IPSec SA proposals found unacceptable&#8221; because of this problem.<\/p>\n<figure id=\"attachment_809\" aria-describedby=\"caption-attachment-809\" style=\"width: 688px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/priority.JPG\" alt=\"L2TP Dynamic Priority\" title=\"priority\" width=\"688\" height=\"118\" class=\"size-full wp-image-809\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/priority.JPG 688w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/priority-300x51.jpg 300w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><figcaption id=\"caption-attachment-809\" class=\"wp-caption-text\">L2TP Dynamic Priority<\/figcaption><\/figure>\n<p>If you run the Cisco VPN Client and L2TP, then you need to add the triple-des-md5 transform set to the low priority L2TP crypto map. Other wise it won&#8217;t work!<\/p>\n<figure id=\"attachment_810\" aria-describedby=\"caption-attachment-810\" style=\"width: 681px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/vpnclinetAl2tp.JPG\" alt=\"Add esp-3des-md5 for your Cisco VPN Client\" title=\"vpnclinetAl2tp\" width=\"681\" height=\"281\" class=\"size-full wp-image-810\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/vpnclinetAl2tp.JPG 681w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/vpnclinetAl2tp-300x123.jpg 300w\" sizes=\"auto, (max-width: 681px) 100vw, 681px\" \/><figcaption id=\"caption-attachment-810\" class=\"wp-caption-text\">Add esp-3des-md5 for your Cisco VPN Client<\/figcaption><\/figure>\n<p><strong>*EDIT*<\/strong>  If you want windows Vista or 7 clients you also need to add a transformset that is AES-128\/SHA.  Make it the second entry in the list&#8230;between your TRANS-esp-3des entry and your standard 3des-esp.<\/p>\n<p>User Authentication:<br \/>\nIf you are doing local authentication, be sure to check use MSCHAP.<br \/>\n<figure id=\"attachment_811\" aria-describedby=\"caption-attachment-811\" style=\"width: 460px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/useraccount.JPG\" alt=\"Check use MSCHAP\" title=\"useraccount\" width=\"460\" height=\"158\" class=\"size-full wp-image-811\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/useraccount.JPG 460w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/useraccount-300x103.jpg 300w\" sizes=\"auto, (max-width: 460px) 100vw, 460px\" \/><figcaption id=\"caption-attachment-811\" class=\"wp-caption-text\">Check use MSCHAP<\/figcaption><\/figure><\/p>\n<p>If you are doing TACACS+ authentication, not that it only supports MSCHAP version 1. You will have to set your clients to use V1. I suggest using RADIUS so you can use MSCHAP V2.<br \/>\n<img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/tacacs.JPG\" alt=\"tacacs\" title=\"tacacs\" width=\"579\" height=\"396\" class=\"alignnone size-full wp-image-812\" srcset=\"https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/tacacs.JPG 579w, https:\/\/gregsowell.com\/wp-content\/uploads\/2009\/10\/tacacs-300x205.jpg 300w\" sizes=\"auto, (max-width: 579px) 100vw, 579px\" \/><\/p>\n<p>I hope you found this useful! Please leave me any questions or comments below!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Alrighty! Now that 64 bit windows is getting more prevalent, it is getting harder to get the Cisco IPSec client installed. This is because\u2026<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,8],"tags":[],"class_list":["post-805","post","type-post","status-publish","format-standard","hentry","category-cisco","category-networking"],"_links":{"self":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/805","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=805"}],"version-history":[{"count":8,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/805\/revisions"}],"predecessor-version":[{"id":814,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/805\/revisions\/814"}],"wp:attachment":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=805"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=805"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=805"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}