L2TP/IPSec with Windows 8/7 and Cisco ASA 8.x/9.x

Well, Windows 8 is here and we will some day migrate to it. At least we who are using Microsoft OSes. This poses one problem. This problem is not directly attached to W8 itself, but with W8 we begin to experience it. So, what’s the problem? Cisco is going to stop or is already stopped development and support for Cisco VPN client! If you ask me, it’s a shame. It was/is a good product. There are some workarounds on W8, but they did not work for me, and with time there will be no workarounds at all. So we have to consider our options. There are a few of them:

• Anyconnect
• L2TP/IPSec
• Other SSL/TLS solutions (OpenVPN, SSTP, …)
• …

Me personally don’t like Anyconnect. One of the reasons is that Cisco charges for licenses. There are some cheap bundles (“Anyconnect Essentials”), but still it is not fair. If we bought ASAs with a licenses for certain amount of IPSec connections and Cisco discontinues IPSec client and start using Anyconnect, they could allow us to make some sort of license switchover. So, if we had 5000 IPSec connections license, we could have the ability to make a 5000 Anyconnect sessions with no extra money.

Third option I won’t discuss, because I don’t have enough experience with these kind of products. There could also be a problem of getting support for them. And still, there might be a licensing issue mentioned above.

So, this blog will deal with the only valid option left – “L2TP/IPSec”.

I won’t be describing “L2TP”, what it is and how it operates. This can be easily found on the Net. I will however stress out that “L2TP” provides (almost) none security. From Wikipedia:

“L2TP does not provide confidentiality or strong authentication by itself.”

This means that we should not use “L2TP” for VPN access. Fortunately, the ASA does not support plain “L2TP” so this makes our decision easier: we have to use secure version of “L2TP” called “L2TP/IPSec”. Basically, we are still using “L2TP”, but we add extra security which IPSec brings to the table: device authentication, confidentiality and integrity.

So, how this works? Without IPSec, the story goes like this: a user makes a connection from a laptop/smart phone to a VPN gateway, called LNS (“L2TP Network Server”). After authenticating to LNS, user’s packets get encapsulated in UDP/1701 and all communication between a client (called a LAC – “L2TP Access Concentrator”) goes through this channel. For example, our mail is encapsulated or tunneled this way.  Problem with this method is that, as said, there is no confidentiality.

Some clever guys figured out that we could use something already in place, such as IPSec, to protect this traffic. With IPSec, our mail, for example, is tunneled inside L2TP that is UDP/1701, and that L2TP is in turn tunneled inside ESP, and hence encrypted. Along with this, because we are using IPSec, we have another benefit – device or client authentication with IKE. There is of course user authentication present with L2TP which is something like XAUTH with IPSec.

Before we jump to configuration, there are some things I would like to point out about “L2TP/IPSec”:

• The client is free and can be found on many platforms (Windows, Linux, Android, …)
• As long as IPSec is setup in a secure manner, “L2TP/IPSec” should be secure
• If we authenticate devices with pre-shared keys, we must use “DefaultRAGroup” tunnel group
• For certificate based device authentication, there is no this limitation
• We can use either “DfltGrpPolicy” group policy, or make our custom policy
• We need a clean way from client to ASA for IPSec ports and protocols
• A transport mode, instead of tunnel mode, must be used
• There could be NAT issues, depending on LAC/LNS versions
• IKEv2 is not supported
• …

Let’s break our configuration into several steps:

1. Configuring the ASA
   1. Configuring AAA parameters
   2. Configuring IKE parameters
   3. Configuring IPSec parameters
   4. Configuring group policy and tunnel group
2. Configuring the client

A. Configuring AAA parameters

We are talking about user authentication here. This authentication is done within L2TP framework, not IPSec. Depending on a LAC/LNS combination, and user database we are using, there are several choices here:

• PAP
• CHAP
• MS-CHAPv1
• MS-CHAPv2
• EAP

I would like to point out that all of these methods, except for some EAP types, are not considered secure and there are tools and ways of breaking these methods.

I also said that available methods are also user database dependant. Here is a table from Cisco.com that explains our choices:

This is pretty much self explanatory with one addition. There could be multiple links in a chain by which we reach user database. For example, although the table from above states that “MS-CHAPv2” is possible with RADIUS, if that RADIUS is set up to retrieve a user info from external database such as “RSA SecurID”, this won’t work. But, if a RADIUS talks to “Active Directory” external database, this will work. The point here is that the things in real life could be a little bit more complicated than in this table.

If we are using LOCAL user database, our user’s passwords must be RC4 encrypted. This is done by adding a special keyword when creating a user:

ASAPOP#
ASAPOP# conf t
ASAPOP(config)# username sasa password popravak mschap
ASAPOP(config)#
ASAPOP(config)# show run username sasa
username sasa password uEwG7U3yQ+zmShyEXyAkEQ== nt-encrypted
ASAPOP(config)# exit
ASAPOP#

If using external AAA server, AAA setup must be completed and tested before proceeding to next steps. You can find several blog posts on this blog that cover this area. Although it does not belong in this section, we need to create an address pool we are going to assign addresses to clients from:

ip local pool POOL1 10.77.77.1-10.77.77.128

B. Configuring IKE parameters

First we enable ISAKMP on the outside interface:

crypto ikev1 enable outside

And then we ran into first problem. Let’s take a look at our present IKE proposals:

crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

I have bolded IKE policy #2000. Why? Windows 7/8 client *won’t* complete phase one IPSec without this proposal! Probably there are some other working proposals, but this one works. We are just fine with this, but have to know about this pitfall. Other two proposals from this example won’t work!

C. Configuring IPSec parameters

This is where another pitfall lays. Windows 7/8 clients organize IPSec parameters in two groups. These groups are called “Maximum strength encryption (disconnect if server declines)” and “Require encryption (disconnect if server declines)”. Under first group are “ESP-3DES-SHA1” and “ESP-AES256-SHA1” proposals and under second group is “ESP-AES128-SHA1”. So we *must* have IPSec proposals or transform sets that matches what clients supports and those proposals *must* be aligned with the client setup. There are some proposals that never work: ESP-3DES-MD5, ESP-AES256-MD5, ESP-AES192-SHA1, …

In other words, if we want to allow only strong encryption, we would create, for example this transform set:

crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport

To support not so secure methods, we could create:

crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport

IMPORTANT: by default ASA will use a tunnel mode for IPSec,  but Windows clients require transport mode!!

Now we need to create a dynamic crypto map with these transforms and attach it to ordinary crypto map:

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS

crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside

There is something worth noting with this IPSec configuration. If we applied dynamic map like this, our users with option “Require encryption (disconnect if server declines)” would not be able to connect. With dynamic map like this:

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS

we would cut off our “Maximum strength encryption (disconnect if server declines)” users. So, we need a compromise of both transform sets within a dynamic crypto map:

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS ESP-AES256-SHA1_TRANS

Cool? Not just yet! With this dynamic map, our “Cisco IPSec VPN” clients would not be able connect. Why? They want a tunnel mode, and we offer them only proposals with a transport mode. So, let’s fix this:

crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set
ESP-AES128-SHA1_TRANS ESP-AES256-SHA1_TRANS ESP-AES256-SHA1

This dynamic map (by the way it should be in a single line) allows us to accept all three types of connections.

D. Configuring group policy and tunnel group

Group policy configuration is a straight forward. We could use a “DfltGrpPolicy” or make our own. Let’s create one with some attributes:

group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol l2tp-ipsec
default-domain value popravak.com

The most important and mandatory setting here is “vpn-tunnel-protocol l2tp-ipsec”. Other parameters are common.

Unlike with the group policy, we cannot use a custom tunnel group if we are authenticating our devices with pre-shared keys. Because this is the case in this blog, we are going to use “DefaultRAGroup”:

tunnel-group DefaultRAGroup general-attributes
address-pool POOL1
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key spop123
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2

Here we specify the address pool, ties a group policy to a tunnel group, specify pre-shared key and user authentication method.

At this point we should be ready for configuring the client. I will do the setup on Windows 8, although the setup is identical on Windows 7.

Configuring the client

Configuration steps are from Windows 8 client, but for Windows 7 are identical and for XP very similar. First we open “Network and Sharing Center” and select “Set up a new connection on network”:

Then, a “Connect to a workplace” option should be selected:

We want to create a new connection, so we select “No, create a new connection” radio button:

Under the “How do you want to connect?”, we select “Use my Internet connection (VPN)” option:

We type the VPN gateway IP address in and provide a name for this connection:

We can select “Remember my credentials” now or do that later. Other two options should be unchecked. Finally, we click “Create” and our connection will be created. At this point, this connection is useless, so we need to do a little bit of tweaking.

Under “Networks” pane, we right click our connection and select “View connection properties”:

We have now a series of five tabs with options we need to tweak under some of them. First, on the “General” tab, we just verify the IP address of our ASA box:

On the “Options” tab, we have again the opportunity to save our credentials and perhaps tell the client when to disconnect a session if a period of inactivity exists. There is nothing interesting in the “PPP Settings…” dialog, so we proceed to the “Security” tab, where most of settings actually is done:

Here we must select “Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)” as the type of VPN. For data encryption we may use “Maximum strength encryption (disconnect if server declines)” or “Require encryption (disconnect if server declines)” , depending on our needs and how we set up our crypto settings on ASA, which is explained above in this blog. As for authentication, we have several options. Which one we will chose depends on security requirements and infrastructure in place. What we select here, must be supported on ASA or external identity store.

Now we click “Advanced settings”:

In here we select “Use pre-shared key for authentication” option, and specify the key. This key is a IKE phase one key and is used to authenticate our device, a PC or a smart phone. This key must match to a key configured under a “DefaultRAGroup” tunnel group, IPSec attributes section.

We could use the default option here, “Use certificate for authentication” but our infrastructure is not set up for RSA sig authentication, so we will stick to the PSK option.

It is now turn for the “Networking” tab:

In here we don’t need to change anything, but I like to turn off “Internet Protocol Version 6 (TCP/IPv6)” and “File and Printer Sharing for Microsoft Networks”.  Finally, the “Sharing” tab:

We don’t need to change anything here.

Now let’s try our connection. Under the “Networks” pane, we select our “L2TP/IPSec” connection, click “Connect” and provide a username and password combination. Then we click “OK”:

Then wait a while:

Maybe it’s me, but it is quicker than traditional client. So, if we did all right, we have a connected status:

We can view a connection properties and see what encryption we are using, how we authenticate, which address we got and that kind of stuff:

And that’s it!

We now have working replacement for Cisco VPN client. I feel sorry for the “old dude”, but I guess we have to move on. In some future blog I will try to change this setup to use the certificate based authentication and perhaps some sort of EAP for user authentication.

Before I sign out, here is a complete, minimal, working configuration. Please have in mind that this ASA and laptop were connected to the same segment, so you will not find any NAT configuration in here. However, a NAT configuration is the same as with traditional IPSec client or Anyconnect.

ASA Version 9.0(1)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
ip local pool POOL1 10.77.77.1-10.77.77.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.77.78.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.0.200 255.255.255.0
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
!
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1
!
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside
crypto ca trustpool policy
!
crypto ikev1 enable outside
!
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol l2tp-ipsec
default-domain value popravak.com
!
username sasa password uEwG7U3yQ+zmShyEXyAkEQ== nt-encrypted
!
tunnel-group DefaultRAGroup general-attributes
address-pool POOL1
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Thanks for reading!