Cisco asa l2tp over ipsec configuration explanation 1 create a VPN address pool ciscoasa (config) # ip local pool vpnpool 192.168.151.11-192.168.151.15 mask 255.0000000002 configure the Ipsec Encryption Algorithm as 3DES and SHA ciscoasa (config) # crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac3 configure IPSec transport mode as transport, the default is tunnel mode (L2TP only supports transport) Ciscoasa (config) # crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport4 use a transport group to define a dynamic Encryption Policy Ciscoasa (confi G) # crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA5 defines the encryption ing and applies it to the Internet interface (outside) # crypto map outside_map 10 ipsec-isakmp dynamic networking # crypto map outside_map interface outside 6 enable the isakmp policy on the Internet interface support Ciscoasa) # crypto isakmp policy 10 ciscoasa (config-isakmp-policy) # authentication pre-share ciscoasa (con Fig-isakmp-policy) # encryption 3des ciscoasa (config-isakmp-policy) # hash sha ciscoasa (config-isakmp-policy) # group 2 ciscoasa (config-isakmp-policy) # lifetime 86400 ciscoasa (config-isakmp-policy) # exit 8 set nat traversal ciscoasa (config) # crypto isakmp nat-traversal 10 9 configure the default internal group policy ciscoasa (config) # group-policy DefaultRAGroup internal 10 configure the default internal group policy attribute ciscoasa (config) # group-policy DefaultRAGroup attributes Ciscoasa (config-group-policy) # vpn-tunnel-protocol IPSec l2tp-ipsec ciscoasa (config-group-policy) # default-domain value cisco.com ciscoasa (config-group-policy) # dns-server value 202.96.209.20.note: to configure L2TP over IPsec as the vpn tunnel protocol, you must add IPSec, only l2tp-ipsec, vpn is not available 11 create a local user, and configure the password for the user, and specify the encryption algorithm ciscoasa (config) # username frank password frank mschap 12 to create the default tunnel group. You must use defaultRAGroup. L2TP does not support other groups, and define the authentication method as local. Ciscoasa (config) # tunnel-group DefaultRAGroup general-attributesciscoasa (config-tunnel-general) # authentication-server-group LOCALciscoasa (config-tunnel-general) # default-group-policy DefaultRAGroupciscoasa (config-tunnel-general) # address-pool vpnpoolciscoasa (config-tunnel-general) # exit 13 define the user's group policy ciscoasa (config-tunnel-general) # username frank attributesciscoasa (config-username) # vpn-group-policy DefaultRAGroupciscoasa (config-username) # vpn-tunnel-protocol IPSec l2tp-ipsecciscoasa (config-username) # exit14 configure the ipsec properties for the default tunnel group and configure the default tunnel group authentication mode as ms-chap-v2 ciscoasa (config) # tunnel-group DefaultRAGroup ppp-attributes ciscoasa (config-ppp) # authentication ms-chap-v2 ciscoasa (config-ppp) # exit15 the client needs to modify the registry [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ yyagent] "AssumeUDPEncapsulationContextOnSendRule" = dword: 00000002 16 to create a VPN connection to the work area on the client, set vpn attributes