Configuring L2TP over IPsec

Similar documents
L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

L2TP IPsec Support for NAT and PAT Windows Clients

Cisco Passguide Exam Questions & Answers

ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example

Remote Access IPsec VPNs

L2TP Configuration. L2TP Overview. Introduction. Typical L2TP Networking Application

Connection Profiles, Group Policies, and Users

Sample excerpt. Virtual Private Networks. Contents

Configuring Client-Initiated Dial-In VPDN Tunneling

Configuring Easy VPN Services on the ASA 5505

RADIUS Tunnel Attribute Extensions

Remote Access IPsec VPNs

Cisco Exam Questions & Answers

Firepower Threat Defense Remote Access VPNs

Microsoft Privacy Protected Network Access: Virtual Private Networking and Intranet Security

CS 393 Network Security. Nasir Memon Polytechnic University Module 13 Virtual Private Networks

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

Configuring LAN-to-LAN IPsec VPNs

Grandstream Networks, Inc. GWN7000 Multi-WAN Gigabit VPN Router VPN Configuration Guide

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Firepower Threat Defense Site-to-site VPNs

Configure an External AAA Server for VPN

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

LAN-to-LAN IPsec VPNs

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Virtual Tunnel Interface

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Configuring Additional VPDN Features

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Clientless SSL VPN Overview

ppp accounting through quit

A device that bridges the wireless link on one side to the wired network on the other.

Index. Numerics 3DES (triple data encryption standard), 21

Identity Firewall. About the Identity Firewall

Managing Site-to-Site VPNs: The Basics

Virtual Private Networks.

IKE and Load Balancing

IP Tunneling. GRE Tunnel IP Source and Destination VRF Membership. Tunnel VRF CHAPTER

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Virtual Private Network

IPSec. Overview. Overview. Levente Buttyán

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Configuration Summary

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Virtual Private Networks (VPNs)

Exam : Title : Security Solutions for Systems Engineers. Version : Demo

Network Security CSN11111

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Fundamentals of Network Security v1.1 Scope and Sequence

Cisco Asa 8.4 Ipsec Vpn Client Configuration. Example >>>CLICK HERE<<<

Virtual Private Networks (VPN)

Configuring Connection Profiles, Group Policies, and Users

VPN. Agenda VPN VPDN. L84 - VPN and VPDN in IP. Virtual Private Networks Introduction VPDN Details (L2F, PPTP, L2TP)

High Availability Options

IPSec Network Applications

L2TP Network Server. LNS Service Operation

Configure an External AAA Server for VPN

BCRAN. Section 9. Cable and DSL Technologies

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

SYSLOG Enhancements for Cisco IOS EasyVPN Server

Setup L2TP/IPsec VPN Server on SoftEther VPN Server

Identity Firewall. About the Identity Firewall. This chapter describes how to configure the ASA for the Identity Firewall.

Managing Site-to-Site VPNs

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Cisco How Virtual Private Networks Work

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Setting up L2TP Over IPSec Server for remote access to LAN

VPN Configuration Guide. Cisco ASA 5500 Series

CCNA Security PT Practice SBA

Overview of the IPsec Features

Configuring Security on the GGSN

IPsec NAT Transparency

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Hillstone IPSec VPN Solution

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

RADIUS Tunnel Preference for Load Balancing

Configuring Layer 2 Tunneling Protocol (L2TP) over IPSec

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

Table of Contents 1 IKE 1-1

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Review on protocols of Virtual Private Network

Managing Site-to-Site VPNs: The Basics

ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.6

NCP Secure Enterprise macos Client Release Notes

HP Unified Wired-WLAN Products

Internet Key Exchange

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Implementing Cisco Network Security (IINS) 3.0

QoS: Classification, Policing, and Marking on LAC Configuration Guide, Cisco IOS Release 12.4T

Transcription:

CHAPTER 62 This chapter describes how to configure L2TP over IPsec on the ASA. This chapter includes the following topics: Information About L2TP over IPsec, page 62-1 Licensing Requirements for L2TP over IPsec, page 62-3 Prerequisites for, page 62-3 Guidelines and Limitations, page 62-4, page 62-4 Configuration Examples for L2TP over IPsec, page 62-7 Feature History for L2TP over IPsec, page 62-7 Information About L2TP over IPsec Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol which allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data. L2TP protocol is based on the client/server model. The function is divided between the L2TP Network Server (LNS), and the L2TP Access Concentrator (LAC). The LNS typically runs on a network gateway such as a router, while the LAC can be a dial-up Network Access Server (NAS) or an endpoint device with a bundled L2TP client such as Microsoft Windows, Apple iphone, or Android. The primary benefit of configuring L2TP with IPsec/IKEv1 in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that no additional client software, such as Cisco VPN client software, is required. To configure L2TP over IPsec, first configure IPsec transport mode to enable IPsec with L2TP. Then configure L2TP with a virtual private dial-up network VPDN group. The configuration of L2TP with IPsec supports certificates using the pre-shared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. This summary of tasks assumes completion of IKE, as well as pre-shared keys or RSA signature configuration. See Chapter 73, Configuring Digital Certificates, for the steps to configure pre-shared keys, RSA, and dynamic crypto maps. 62-1

Information About L2TP over IPsec Chapter 62 Note L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in such operating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported, native L2TP itself is not supported on ASA. The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime. IPsec Transport and Tunnel Modes By default, the ASA uses IPsec tunnel mode the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to receive the benefits of IPsec. Tunnel mode also protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints. However, the Windows L2TP/IPsec client uses IPsec transport mode only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination of the packet. Figure 62-1 illustrates the differences between IPsec Tunnel and Transport modes. In order for Windows L2TP/IPsec clients to connect to the ASA, you must configure IPsec transport mode for a transform set using the crypto ipsec transform-set trans_name mode transport command. This command is the configuration procedure that follows,. With this transport capability, you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header is encrypted, which limits the examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport mode allows an attacker to perform some traffic analysis. 62-2

Chapter 62 Licensing Requirements for L2TP over IPsec Figure 62-1 IPsec in Tunnel and Transport Modes IP HDR Data Tunnel mode Encrypted New IP HDR IPSec HDR IP HDR Data IP HDR Data 23246 Transport mode IP HDR IPSec HDR Data Encrypted Licensing Requirements for L2TP over IPsec The following table shows the licensing requirements for this feature: Model License Requirement ASA 5505 Base License: 10 sessions (25 combined IPSec and SSL VPN 1 ). Security Plus License: 25 sessions (25 combined IPSec and SSL VPN 1 ). ASA 5510 Base and Security Plus License: 250 sessions (250 combined IPSec and SSL VPN 1 ). ASA 5520 Base and Security Plus License: 750 sessions (750 combined IPSec and SSL VPN 1 ). ASA 5540 Base and Security Plus License: 5000 sessions (5000 combined IPSec and SSL VPN 1 ). ASA 5550 and 5580 Base and Security Plus License: 5000 sessions (5000 combined IPSec and SSL VPN 1 ). 1. Although the maximum IPSec and SSL VPN sessions add up to more than the maximum VPN sessions, the combined sessions should not exceed the VPN session limit. If you exceed the maximum VPN sessions, you can overload the ASA, so be sure to size your network appropriately. Prerequisites for has the following prerequisites: You can configure the default group policy (DfltGrpPolicy) or a user-defined group policy for L2TP/IPsec connections. In either case, the group policy must be configured to use the L2TP/IPsec tunneling protocol. If the L2TP/IPsec tunning protocol is not configured for your user-defined group policy, configure the DfltGrpPolicy for the L2TP/IPsec tunning protocol and allow your user-defined group policy to inherit this attribute. 62-3

Guidelines and Limitations Chapter 62 You need to configure the default connection proflie (tunnel group), DefaultRAGroup, if you are performing pre-shared key authentication. If you are performing certificate-based authentication, you can use a user-defined connection profile that can be chosen based on certificate identifiers. IP connectivity needs to be established between the peers. To test connectivity, try to ping the IP address of the ASA from your endpoint and try to ping the IP address of your endpoint from the ASA. Make sure that UDP port 1701 is not blocked anywhere along the path of the connection. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode. Multiple context mode is not supported. Firewall Mode Guidelines Supported only in routed firewall mode. Transparent mode is not supported. Failover Guidelines L2TP over IPsec sessions are not supported by stateful failover. This section provides the required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients, integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP over IPsec protocol. IKE phase 1 3DES encryption with SHA1 hash method. IPSec phase 2 3DES or AES encryption with MD5 or SHA hash method. PPP Authentication PAP, MS-CHAPv1, or MSCHAPv2 (preferred). Pre-shared key (only for iphone). Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single context mode. Multiple context mode is not supported. Firewall Mode Guidelines Supported only in routed firewall mode. Transparent mode is not supported. Failover Guidelines L2TP over IPsec sessions are not supported by stateful failover. 62-4

Chapter 62 Guidelines and Limitations Authentication Guidelines The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy or authentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect. Supported PPP Authentication Types L2TP over IPsec connections on the ASA support only the PPP authentication types shown in Table 62-2. L2TP/IPsec Tunnel with Windows 2000 The ASA does not establish an L2TP/IPsec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. To work around this problem, disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click Start>Programs>Administrative Tools>Services). Then restart the IPSec Policy Agent Service from the Services panel and reboot the PC. Table 62-1 AAA Server Support and PPP Authentication Types AAA Server Type LOCAL RADIUS TACACS+ LDAP NT Kerberos SDI Supported PPP Authentication Types PAP, MSCHAPv1, MSCHAPv2 PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy PAP, CHAP, MSCHAPv1 PAP PAP PAP SDI Table 62-2 PPP Authentication Type Characteristics Keyword Authentication Type Characteristics chap CHAP In response to the server challenge, the client returns the encrypted [challenge plus password] with a cleartext username. This protocol is more secure than the PAP, but it does not encrypt data. eap-proxy EAP Enables EAP which permits the security appliance to proxy the PPP authentication process to an external RADIUS authentication server. ms-chap-v1 ms-chap-v2 Microsoft CHAP, Version 1 Microsoft CHAP, Version, 2 Similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE. pap PAP Passes cleartext username and password during authentication and is not secure. 62-5

Guidelines and Limitations Chapter 62 Detailed Steps 62-6

Chapter 62 Configuration Examples for L2TP over IPsec Configuration Examples for L2TP over IPsec Feature History for L2TP over IPsec Table 62-3 lists the release history for this feature. Table 62-3 Feature History for L2TP over IPsec Feature Name Releases Feature Information L2TP over IPsec 7.2(1) L2TP/IPsec provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform. The primary benefit of configuring L2TP with IPsec in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, enabling remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required. The following commands were introduced or modified: authentication eap-proxy, authentication ms-chap-v1, authentication ms-chap-v2, authentication pap, l2tp tunnel hello, vpn-tunnel-protocol l2tp-ipsec. 62-7

Feature History for L2TP over IPsec Chapter 62 62-8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback