L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

Similar documents
Configuring L2TP over IPsec

Remote Access IPsec VPNs

Remote Access IPsec VPNs

Configuring LAN-to-LAN IPsec VPNs

LAN-to-LAN IPsec VPNs

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Firepower Threat Defense Site-to-site VPNs

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

Configuring Remote Access IPSec VPNs

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Sample excerpt. Virtual Private Networks. Contents

L2TP IPsec Support for NAT and PAT Windows Clients

Table of Contents 1 IKE 1-1

Configuring Easy VPN Services on the ASA 5505

Virtual Tunnel Interface

Connection Profiles, Group Policies, and Users

Configuring a Hub & Spoke VPN in AOS

Cisco Exam Questions & Answers

MWA Deployment Guide. VPN Termination from Smartphone to Cisco ISR G2 Router

Network Security CSN11111

IKE and Load Balancing

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

ASA Remote Access VPN IKE/SSL Password Expiry and Change for RADIUS, TACACS, and LDAP Configuration Example

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Cisco Asa 8.4 Ipsec Vpn Client Configuration. Example >>>CLICK HERE<<<

Clientless SSL VPN Overview

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Firepower Threat Defense Remote Access VPNs

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL II. VERSION 2.0

Configuration of an IPSec VPN Server on RV130 and RV130W

Configure an External AAA Server for VPN

Internet Key Exchange

ppp accounting through quit

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Virtual Private Networks

SYSLOG Enhancements for Cisco IOS EasyVPN Server

CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.4

Virtual Private Network. Network User Guide. Issue 05 Date

Configuring Connection Profiles, Group Policies, and Users

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

VPN Overview. VPN Types

CLI Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.7

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Data Sheet. NCP Exclusive Remote Access Mac Client. Next Generation Network Access Technology

Configuring IPsec and ISAKMP

Configuring WAN Backhaul Redundancy

Cisco Passguide Exam Questions & Answers

Configuring Internet Key Exchange Version 2 and FlexVPN Site-to-Site

Virtual Tunnel Interface

NCP Secure Enterprise macos Client Release Notes

Configuring Internet Key Exchange Version 2

Data Sheet. NCP Secure Entry Mac Client. Next Generation Network Access Technology

L2TP Network Server. LNS Service Operation

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Virtual Private Network

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

VPN Configuration Guide. Cisco ASA 5500 Series

Configuring Management Access

Configuration Guide SuperStack 3 Firewall L2TP/IPSec VPN Client

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Configuring Security for VPNs with IPsec

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Lab 9: VPNs IPSec Remote Access VPN

Hillstone IPSec VPN Solution

Configuring AnyConnect VPN Client Connections

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

IPv6 over IPv4 GRE Tunnel Protection

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

FAQ about Communication

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Chapter 5 Virtual Private Networking

Quick Note. Configure an IPSec VPN tunnel in Aggressive mode between a TransPort LR router and a Cisco router. Digi Technical Support 7 October 2016

Mediant MSBR. Version 6.8. Security Setup. Configuration Guide. Version 7.2. AudioCodes Family of Multi-Service Business Routers (MSBR)

CLEARPASS CONFIGURING IPsec TUNNELS

Index. Numerics 3DES (triple data encryption standard), 21

VPN Auto Provisioning

BCRAN. Section 9. Cable and DSL Technologies

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Configuring the PIX Firewall and VPN Clients Using PPTP, MPPE and IPSec

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Overview of the IPsec Features

VPN Ports and LAN-to-LAN Tunnels

Configuration Summary

IPSec Site-to-Site VPN (SVTI)

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

ASDM Book 3: Cisco ASA Series VPN ASDM Configuration Guide, 7.6

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

IPSec Network Applications

AAA Administration. Setting up RADIUS. Information About RADIUS

Identity Firewall. About the Identity Firewall

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

IPsec Dead Peer Detection Periodic Message Option

Configure an External AAA Server for VPN

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Configuring Authentication, Authorization, and Accounting

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Transcription:

This chapter describes how to configure /IKEv1 on the ASA. About /IKEv1 VPN, on page 1 Licensing Requirements for, on page 3 Prerequisites for Configuring, on page 4 Guidelines and Limitations, on page 4 Configuring with CLI, on page 6 Feature History for, on page 11 About /IKEv1 VPN Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data. L2TP protocol is based on the client/server model. The function is divided between the L2TP Network Server (LNS), and the L2TP Access Concentrator (LAC). The LNS typically runs on a network gateway such as a router, while the LAC can be a dial-up Network Access Server (NAS) or an endpoint device with a bundled L2TP client such as Microsoft Windows, Apple iphone, or Android. The primary benefit of configuring L2TP with IPsec/IKEv1 in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that no additional client software, such as Cisco VPN client software, is required. Note supports only IKEv1. IKEv2 is not supported. The configuration of L2TP with IPsec/IKEv1 supports certificates using the preshared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. This summary of tasks assumes completion of IKEv1, as well as pre-shared keys or RSA signature configuration. See Chapter 41, Digital Certificates, in the general operations configuration guide for the steps to configure preshared keys, RSA, and dynamic crypto maps. 1

IPsec Transport and Tunnel Modes Note L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in such operating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported, native L2TP itself is not supported on ASA. The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime. IPsec Transport and Tunnel Modes By default, the ASA uses IPsec tunnel mode the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to receive the benefits of IPsec. Tunnel mode also protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints. However, the Windows L2TP/IPsec client uses IPsec transport mode only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination of the packet. The following figure illustrates the differences between IPsec tunnel and transport modes. Figure 1: IPsec in Tunnel and Transport Modes In order for Windows L2TP and IPsec clients to connect to the ASA, you must configure IPsec transport mode for a transform set using the crypto ipsec transform-set trans_name mode transport command. This command is used in the configuration procedure. With this transport capability, you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header is encrypted, which limits 2

Licensing Requirements for the examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport mode allows an attacker to perform some traffic analysis. Licensing Requirements for Note This feature is not available on No Payload Encryption models. IPsec remote access VPN using IKEv2 requires an AnyConnect Plus or Apex license, available separately. See the following maximum values when you purchase an AnyConnect license. IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2 uses the Other VPN license that comes with the base license. The maximum combined VPN sessions of all types cannot exceed the maximum sessions shown in this table. Model ASA 5506-X, 5506H-X, 5506W-X License Requirement IPsec remote access VPN using IKEv2: 50 sessions. IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2: Base license: 10 sessions. Security Plus license: 50 sessions. ASA 5508-X ASA 5512-X ASA 5515-X ASA 5516-X ASA 5525-X ASA 5545-X ASA 5555-X ASA 5585-X with SSP-10 ASA 5585-X with SSP-20, -40, and -60 ASASM ASAv5 ASAv10 ASAv30 100 sessions. 250 sessions. 250 sessions. 300 sessions. 750 sessions. 2500 sessions. 5000 sessions. 5000 sessions. 10,000 sessions. 10,000 sessions. 250 sessions. 250 sessions. 750 sessions. 3

Prerequisites for Configuring Prerequisites for Configuring Configuring has the following prerequisites: Group Policy-You can configure the default group policy (DfltGrpPolicy) or a user-defined group policy for L2TP/IPsec connections. In either case, the group policy must be configured to use the L2TP/IPsec tunneling protocol. If the L2TP/IPsec tunning protocol is not configured for your user-defined group policy, configure the DfltGrpPolicy for the L2TP/IPsec tunning protocol and allow your user-defined group policy to inherit this attribute. Connection Profile-You need to configure the default connection proflie (tunnel group), DefaultRAGroup, if you are performing pre-shared key authentication. If you are performing certificate-based authentication, you can use a user-defined connection profile that can be chosen based on certificate identifiers. IP connectivity needs to be established between the peers. To test connectivity, try to ping the IP address of the ASA from your endpoint and try to ping the IP address of your endpoint from the ASA. Make sure that UDP port 1701 is not blocked anywhere along the path of the connection. If a Windows 7 endpoint device authenticates using a certificate that specifies a SHA signature type, the signature type must match that of the ASA, either SHA1 or SHA2. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. AnyConnect Apex license is required for remote-access VPN in multi-context mode. Although ASA does not specifically recognize an AnyConnect Apex license, it enforces licenses characteristics of an Apex license such as AnyConnect Premium licensed to the platform limit, AnyConnect for mobile, AnyConnect for Cisco VPN phone, and advanced endpoint assessment. Firewall Mode Guidelines Supported only in routed firewall mode. Transparent mode is not supported. Failover Guidelines sessions are not supported by stateful failover. IPv6 Guidelines There is no native IPv6 tunnel setup support for. Authentication Guidelines The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs 4

Guidelines and Limitations to a tunnel group configured with the authentication eap-proxy or authentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect. Supported PPP Authentication Types connections on the ASA support only the PPP authentication types as shown: Table 1: AAA Server Support and PPP Authentication Types AAA Server Type LOCAL RADIUS TACACS+ LDAP NT Kerberos SDI Supported PPP Authentication Types PAP, MSCHAPv1, MSCHAPv2 PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy PAP, CHAP, MSCHAPv1 PAP PAP PAP SDI Table 2: PPP Authentication Type Characteristics Keyword chap eap-proxy ms-chap-v1 ms-chap-v2 pap Authentication Type CHAP EAP Microsoft CHAP, Version 1 Microsoft CHAP, Version, 2 PAP Characteristics In response to the server challenge, the client returns the encrypted [challenge plus password] with a cleartext username. This protocol is more secure than the PAP, but it does not encrypt data. Enables EAP which permits the security appliance to proxy the PPP authentication process to an external RADIUS authentication server. Similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE. Passes cleartext username and password during authentication and is not secure. 5

Configuring with CLI Configuring with CLI You must configure IKEv1 (ISAKMP) policy settings to allow native VPN clients to make a VPN connection to the ASA using the protocol. IKEv1 phase 1 3DES encryption with SHA1 hash method. IPsec phase 2 3DES or AES encryption with MD5 or SHA hash method. PPP Authentication PAP, MS-CHAPv1, or MSCHAPv2 (preferred). Pre-shared key (only for iphone). Procedure Step 1 Step 2 Step 3 Step 4 Step 5 Create a transform set with a specific ESP encryption type and authentication type. crypto ipsec ike_version transform-set transform_name ESP_Encryption_Type ESP_Authentication_Type crypto ipsec ikev1 transform-set my-transform-set-ikev1 esp-des esp-sha-hmac Instruct IPsec to use transport mode rather than tunnel mode. crypto ipsec ike_version transform-set trans_name mode transport crypto ipsec ikev1 transform-set my-transform-set-ikev1 mode transport Specify L2TP/IPsec as the vpn tunneling protocol. vpn-tunnel-protocol tunneling_protocol hostname(config)# group-policy DfltGrpPolicy attributes hostname(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec (Optional) Instruct the adaptive security appliance to send DNS server IP addresses to the client for the group policy. dns value [none IP_Primary IP_Secondary] hostname(config)# group-policy DfltGrpPolicy attributes hostname(config-group-policy)# dns value 209.165.201.1 209.165.201.2 (Optional) Instruct the adaptive security appliance to send WINS server IP addresses to the client for the group policy. wins-server value [none IP_primary [IP_secondary]] hostname(config)# group-policy DfltGrpPolicy attributes hostname (config-group-policy)# wins-server value 209.165.201.3 209.165.201.4 6

Configuring with CLI Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12 Step 13 (Optional) Create an IP address pool. ip local pool pool_name starting_address-ending_address mask subnet_mask hostname(config)# ip local pool sales_addresses 10.4.5.10-10.4.5.20 mask 255.255.255.0 (Optional) Associate the pool of IP addresses with the connection profile (tunnel group). address-pool pool_name hostname(config)# tunnel-group DefaultRAGroup general-attributes hostname(config-tunnel-general)# address-pool sales_addresses Create a connection profile (tunnel group). tunnel-group name type remote-access hostname(config)# tunnel-group sales-tunnel type remote-access Link the name of a group policy to the connection profile (tunnel group). default-group-policy name hostname(config)# tunnel-group DefaultRAGroup general-attributes hostname(config-tunnel-general)# default-group-policy DfltGrpPolicy Specify a method to authenticate users attempting connections, for the connection profile (tunnel group). If you are not using the ASA to perform local authentication, and you want to fallback to local authentication, add LOCAL to the end of the command. authentication-server-group server_group [local] hostname(config)# tunnel-group DefaultRAGroup general-attributes hostname(config-tunnel-general)# authentication-server-group sales_server LOCAL Specify a method to authenticate users attempting connections, for the connection profile (tunnel group). If you are not using the ASA to perform local authentication, and you want to fallback to local authentication, add LOCAL to the end of the command. authentication auth_type hostname(config)# tunnel-group name ppp-attributes hostname(config-ppp)# authentication ms-chap-v1 Set the pre-shared key for your connection profile (tunnel group). tunnel-group tunnel group name ipsec-attributes hostname(config)# tunnel-group DefaultRAGroup ipsec-attributes hostname(config-tunnel-ipsec)# ikev1 pre-shared-key cisco123 (Optional) Generate a AAA accounting start and stop record for an L2TP session for the connection profile (tunnel group). 7

Configuring with CLI accounting-server-group aaa_server_group hostname(config)# tunnel-group sales_tunnel general-attributes hostname(config-tunnel-general)# accounting-server-group sales_aaa_server Step 14 Step 15 Step 16 Step 17 Configure the interval (in seconds) between hello messages. The range is 10 through 300 seconds. The default interval is 60 seconds. l2tp tunnel hello seconds hostname(config)# l2tp tunnel hello 100 (Optional) Enable NAT traversal so that ESP packets can pass through one or more NAT devices. If you expect multiple L2TP clients behind a NAT device to attempt connections to the adaptive security appliance, you must enable NAT traversal. crypto isakmp nat-traversal seconds To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the crypto isakmp enable command) in global configuration mode, and then use the crypto isakmp nat-traversal command. hostname(config)# crypto ikev1 enable hostname(config)# crypto isakmp nat-traversal 1500 (Optional) Configure tunnel group switching. The goal of tunnel group switching is to give users a better chance at establishing a VPN connection when they authenticate using a proxy authentication server. Tunnel group is synonymous with connection profile. strip-group strip-realm hostname(config)# tunnel-group DefaultRAGroup general-attributes hostname(config-tunnel-general)# strip-group hostname(config-tunnel-general)# strip-realm (Optional) Create a user with the username jdoe, the password j!doe1. The mschap option specifies that the password is converted to Unicode and hashed using MD4 after you enter it. This step is needed only if you are using a local user database. username name password password mschap asa2(config)# username jdoe password j!doe1 mschap Step 18 Create the IKE Policy for Phase 1 and assign it a number. crypto ikev1 policy priority group Diffie-Hellman Group There are several different parameters of the IKE policy that you can configure. You can also specify a Diffie-Hellman Group for the policy. The isakamp policy is used by the ASA to complete the IKE negotiation. 8

Creating IKE Policies to Respond to Windows 7 Proposals hostname(config)# crypto ikev1 policy 5 hostname(config-ikev1-policy)# group 5 Creating IKE Policies to Respond to Windows 7 Proposals Windows 7 L2TP/IPsec clients send several IKE policy proposals to establish a VPN connection with the ASA. Define one of the following IKE policies to facilitate connections from Windows 7 VPN native clients. Follow the procedure Configuring for ASA. Add the additional steps in this task to configure the IKE policy for Windows 7 native VPN clients. Procedure Step 1 Display the attributes and the number of any existing IKE policies. hostname(config)# show run crypto ikev1 Step 2 Step 3 Configure an IKE policy. The number argument specifies the number of the IKE policy you are configuring. This number was listed in the output of the show run crypto ikev1 command. crypto ikev1 policy number Set the authentication method the ASA uses to establish the identity of each IPsec peer to use preshared keys. hostname(config-ikev1-policy)# authentication pre-share Step 4 Step 5 Choose a symmetric encryption method that protects data transmitted between two IPsec peers. For Windows 7, choose 3des or aes for 128-bit AES, or aes-256. encryption {3des aes aes-256} Choose the hash algorithm that ensures data integrity. For Windows 7, specify sha for the SHA-1 algorithm. hostname(config-ikev1-policy)# hash sha Step 6 Choose the Diffie-Hellman group identifier. You can specify 5 for aes, aes-256, or 3des encryption types. You can specify 2 only for 3des encryption types. hostname(config-ikev1-policy)# group 5 Step 7 Specify the SA lifetime in seconds. For Windows 7, specify 86400 seconds to represent 24 hours. 9

Configuration Example for hostname(config-ikev1-policy)# lifetime 86400 Configuration Example for The following example shows configuration file commands that ensure ASA compatibility with a native VPN client on any operating system: ip local pool sales_addresses 209.165.202.129-209.165.202.158 group-policy sales_policy internal group-policy sales_policy attributes wins-server value 209.165.201.3 209.165.201.4 dns-server value 209.165.201.1 209.165.201.2 vpn-tunnel-protocol l2tp-ipsec tunnel-group DefaultRAGroup general-attributes default-group-policy sales_policy address-pool sales_addresses tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes no authentication pap authentication chap authentication ms-chap-v1 authentication ms-chap-v2 crypto ipsec ikev1 transform-set trans esp-des esp-sha-hmac crypto ipsec ikev1 transform-set trans mode transport crypto dynamic-map dyno 10 set ikev1 transform-set trans crypto map vpn 20 ipsec-isakmp dynamic dyno crypto map vpn interface outside crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 10

Feature History for Feature History for Feature Name Releases 7.2(1) Feature Information provides the capability to deploy and administer an L2TP VPN solution alongside the IPsec VPN and firewall services in a single platform. The primary benefit of configuring in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that the only client requirement for VPN access is the use of Windows with Microsoft Dial-Up Networking (DUN). No additional client software, such as Cisco VPN client software, is required. The following commands were introduced or modified: authentication eap-proxy, authentication ms-chap-v1, authentication ms-chap-v2, authentication pap, l2tp tunnel hello, vpn-tunnel-protocol l2tp-ipsec. 11

Feature History for 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback