Cisco ASA L2TP over IPSEC configuration details
1. Create a VPN address pool
Ciscoasa (config) # ip local pool vpnpool 192.168.151.11-192.168.151.15 mask 255.255.255.0
2. Configure the Ipsec encryption algorithms 3DES and SHA.
Ciscoasa (config) # crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des (esp-sha-hmac)
3. Set the IPSec transmission mode to transport. The default mode is tunnel (L2TP only supports transport)
Ciscoasaconfig) # crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
4. Use a transmission group to define a dynamic Encryption Policy
Ciscoasa (config) # crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA
5. Define the encryption ing and apply it to the Internet interface (outside)
# Crypto map outside_map 10 ipsec-isakmp dynamic outside_dyn_map
# Crypto map outside_map interface outside
6. Enable the isakmp policy on the Internet interface
Ciscoasa (config) crypto isakmp enable outside
7. Define isakmp policies
Ciscoasa (config) # crypto isakmp policy 10
Ciscoasa (config-isakmp-policy) # authentication pre-share
Ciscoasa (config-isakmp-policy) # encryption 3des
Ciscoasa (config-isakmp-policy) # hash sha
Ciscoasa (config-isakmp-policy) # group 2
Ciscoasa (config-isakmp-policy) # lifetime 86400
Ciscoasa (config-isakmp-policy) # exit
8. Set nat traversal
Ciscoasa (config) # crypto isakmp nat-traversal 10
9 configure the default internal group policy
Ciscoasa (config) # group-policy DefaultRAGroup internal
10 configure Default internal group policy attributes
Ciscoasa (config) # group-policy DefaultRAGroup attributes
Ciscoasa (config-group-policy) # vpn-tunnel-protocol IPSec l2tp-ipsec
Ciscoasa (config-group-policy) # default-domain value cisco.com
Ciscoasa (config-group-policy) # dns-server value 202.96.209.20.
Note: To configure L2TP over IPsec as the vpn tunnel protocol, you must add IPSec, only l2tp-ipsec, vpn is not available
11 create a local user, configure a password for the user, and specify the encryption algorithm
Ciscoasa (config) # username frank password frank mschap
12 to create a default tunnel group, you must use defaultRAGroup. L2TP does not support other groups and defines the authentication method as local.
Ciscoasa (config) # tunnel-group DefaultRAGroup general-attributes
Ciscoasa (config-tunnel-general) # authentication-server-group LOCAL
Ciscoasa (config-tunnel-general) # default-group-policy DefaultRAGroup
Ciscoasa (config-tunnel-general) # address-pool vpnpool
Ciscoasa (config-tunnel-general) # exit
13. Create a group policy for the user
Ciscoasa (config-tunnel-general) # username frank attributes
Ciscoasa (config-username) # vpn-group-policy DefaultRAGroup
Ciscoasa (config-username) # vpn-tunnel-protocol IPSec l2tp-ipsec
Ciscoasa (config-username) # exit
14 configure the ipsec properties for the default tunnel group and configure the default tunnel group authentication mode as ms-chap-v2
Ciscoasa (config) # tunnel-group DefaultRAGroup ppp-attributes
Ciscoasa (config-ppp) # authentication ms-chap-v2
Ciscoasa (config-ppp) # exit
15 client settings
Windows 7 needs to modify the Registry
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ PolicyAgent]
"AssumeUDPEncapsulationContextOnSendRule" = dword: 00000002
16. Create a VPN connection to the work area on the client and set the vpn attributes.
This article is from the "Frank" blog, please be sure to keep this source http://freehat.blog.51cto.com/1239536/1158416
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
