L2TP/IPSec with Windows 8/7 and Cisco ASA 8.x/9.x

Well, Windows 8 is here and we will some day migrate to it. At least we who are using Microsoft OSes. This poses one problem. This problem is not directly attached to W8 itself, but with W8 we begin to experience it. So, what’s the problem? Cisco is going to stop or is already stopped development and support for Cisco VPN client! If you ask me, it’s a shame. It was/is a good product. There are some workarounds on W8, but they did not work for me, and with time there will be no workarounds at all. So we have to consider our options. There are a few of them:

  • Anyconnect
  • L2TP/IPSec
  • Other SSL/TLS solutions (OpenVPN, SSTP, …)

Me personally don’t like Anyconnect. One of the reasons is that Cisco charges for licenses. There are some cheap bundles (“Anyconnect Essentials”), but still it is not fair. If we bought ASAs with a licenses for certain amount of IPSec connections and Cisco discontinues IPSec client and start using Anyconnect, they could allow us to make some sort of license switchover. So, if we had 5000 IPSec connections license, we could have the ability to make a 5000 Anyconnect sessions with no extra money.

Third option I won’t discuss, because I don’t have enough experience with these kind of products. There could also be a problem of getting support for them. And still, there might be a licensing issue mentioned above.

So, this blog will deal with the only valid option left – “L2TP/IPSec”.

I won’t be describing “L2TP”, what it is and how it operates. This can be easily found on the Net. I will however stress out that “L2TP” provides (almost) none security. From Wikipedia:

“L2TP does not provide confidentiality or strong authentication by itself.”

This means that we should not use “L2TP” for VPN access. Fortunately, the ASA does not support plain “L2TP” so this makes our decision easier: we have to use secure version of “L2TP” called “L2TP/IPSec”. Basically, we are still using “L2TP”, but we add extra security which IPSec brings to the table: device authentication, confidentiality and integrity.

So, how this works? Without IPSec, the story goes like this: a user makes a connection from a laptop/smart phone to a VPN gateway, called LNS (“L2TP Network Server”). After authenticating to LNS, user’s packets get encapsulated in UDP/1701 and all communication between a client (called a LAC – “L2TP Access Concentrator”) goes through this channel. For example, our mail is encapsulated or tunneled this way.  Problem with this method is that, as said, there is no confidentiality.

Some clever guys figured out that we could use something already in place, such as IPSec, to protect this traffic. With IPSec, our mail, for example, is tunneled inside L2TP that is UDP/1701, and that L2TP is in turn tunneled inside ESP, and hence encrypted. Along with this, because we are using IPSec, we have another benefit – device or client authentication with IKE. There is of course user authentication present with L2TP which is something like XAUTH with IPSec.

Before we jump to configuration, there are some things I would like to point out about “L2TP/IPSec”:

  • The client is free and can be found on many platforms (Windows, Linux, Android, …)
  • As long as IPSec is setup in a secure manner, “L2TP/IPSec” should be secure
  • If we authenticate devices with pre-shared keys, we must use “DefaultRAGroup” tunnel group
  • For certificate based device authentication, there is no this limitation
  • We can use either “DfltGrpPolicy” group policy, or make our custom policy
  • We need a clean way from client to ASA for IPSec ports and protocols
  • A transport mode, instead of tunnel mode, must be used
  • There could be NAT issues, depending on LAC/LNS versions
  • IKEv2 is not supported

Let’s break our configuration into several steps:

  1. Configuring the ASA
    1. Configuring AAA parameters
    2. Configuring IKE parameters
    3. Configuring IPSec parameters
    4. Configuring group policy and tunnel group
  2. Configuring the client

A. Configuring AAA parameters

We are talking about user authentication here. This authentication is done within L2TP framework, not IPSec. Depending on a LAC/LNS combination, and user database we are using, there are several choices here:

  • PAP
  • CHAP
  • MS-CHAPv1
  • MS-CHAPv2
  • EAP

I would like to point out that all of these methods, except for some EAP types, are not considered secure and there are tools and ways of breaking these methods.

I also said that available methods are also user database dependant. Here is a table from Cisco.com that explains our choices:

SNAGHTML637c61

This is pretty much self explanatory with one addition. There could be multiple links in a chain by which we reach user database. For example, although the table from above states that “MS-CHAPv2” is possible with RADIUS, if that RADIUS is set up to retrieve a user info from external database such as “RSA SecurID”, this won’t work. But, if a RADIUS talks to “Active Directory” external database, this will work. The point here is that the things in real life could be a little bit more complicated than in this table.

If we are using LOCAL user database, our user’s passwords must be RC4 encrypted. This is done by adding a special keyword when creating a user:

ASAPOP#
ASAPOP# conf t
ASAPOP(config)# username sasa password popravak mschap
ASAPOP(config)#
ASAPOP(config)# show run username sasa
username sasa password uEwG7U3yQ+zmShyEXyAkEQ== nt-encrypted
ASAPOP(config)# exit
ASAPOP#

If using external AAA server, AAA setup must be completed and tested before proceeding to next steps. You can find several blog posts on this blog that cover this area. Although it does not belong in this section, we need to create an address pool we are going to assign addresses to clients from:

ip local pool POOL1 10.77.77.1-10.77.77.128

B. Configuring IKE parameters

First we enable ISAKMP on the outside interface:

crypto ikev1 enable outside

And then we ran into first problem. Let’s take a look at our present IKE proposals:

crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

I have bolded IKE policy #2000. Why? Windows 7/8 client *won’t* complete phase one IPSec without this proposal! Probably there are some other working proposals, but this one works. We are just fine with this, but have to know about this pitfall. Other two proposals from this example won’t work!

C. Configuring IPSec parameters

This is where another pitfall lays. Windows 7/8 clients organize IPSec parameters in two groups. These groups are called “Maximum strength encryption (disconnect if server declines)” and “Require encryption (disconnect if server declines)”. Under first group are “ESP-3DES-SHA1” and “ESP-AES256-SHA1” proposals and under second group is “ESP-AES128-SHA1”. So we *must* have IPSec proposals or transform sets that matches what clients supports and those proposals *must* be aligned with the client setup. There are some proposals that never work: ESP-3DES-MD5, ESP-AES256-MD5, ESP-AES192-SHA1, …

In other words, if we want to allow only strong encryption, we would create, for example this transform set:

crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport

To support not so secure methods, we could create:

crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport

IMPORTANT: by default ASA will use a tunnel mode for IPSec,  but Windows clients require transport mode!!

Now we need to create a dynamic crypto map with these transforms and attach it to ordinary crypto map:

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS

crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside

There is something worth noting with this IPSec configuration. If we applied dynamic map like this, our users with option “Require encryption (disconnect if server declines)” would not be able to connect. With dynamic map like this:

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS

we would cut off our “Maximum strength encryption (disconnect if server declines)” users. So, we need a compromise of both transform sets within a dynamic crypto map:

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES128-SHA1_TRANS ESP-AES256-SHA1_TRANS

Cool? Not just yet! With this dynamic map, our “Cisco IPSec VPN” clients would not be able connect. Why? They want a tunnel mode, and we offer them only proposals with a transport mode. So, let’s fix this:

crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set
ESP-AES128-SHA1_TRANS ESP-AES256-SHA1_TRANS ESP-AES256-SHA1

This dynamic map (by the way it should be in a single line) allows us to accept all three types of connections.

D. Configuring group policy and tunnel group

Group policy configuration is a straight forward. We could use a “DfltGrpPolicy” or make our own. Let’s create one with some attributes:

group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol l2tp-ipsec
default-domain value popravak.com

The most important and mandatory setting here is “vpn-tunnel-protocol l2tp-ipsec”. Other parameters are common.

Unlike with the group policy, we cannot use a custom tunnel group if we are authenticating our devices with pre-shared keys. Because this is the case in this blog, we are going to use “DefaultRAGroup”:

tunnel-group DefaultRAGroup general-attributes
address-pool POOL1
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key spop123
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2

Here we specify the address pool, ties a group policy to a tunnel group, specify pre-shared key and user authentication method.

At this point we should be ready for configuring the client. I will do the setup on Windows 8, although the setup is identical on Windows 7.

Configuring the client

Configuration steps are from Windows 8 client, but for Windows 7 are identical and for XP very similar. First we open “Network and Sharing Center” and select “Set up a new connection on network”:

3-6-2013 6-06-02 PM

Then, a “Connect to a workplace” option should be selected:

3-6-2013 6-07-20 PM

We want to create a new connection, so we select “No, create a new connection” radio button:

3-6-2013 6-08-03 PM

Under the “How do you want to connect?”, we select “Use my Internet connection (VPN)” option:

3-6-2013 6-08-27 PM

We type the VPN gateway IP address in and provide a name for this connection:

SNAGHTML167b4473

We can select “Remember my credentials” now or do that later. Other two options should be unchecked. Finally, we click “Create” and our connection will be created. At this point, this connection is useless, so we need to do a little bit of tweaking.

Under “Networks” pane, we right click our connection and select “View connection properties”:

3-6-2013 6-10-51 PM

We have now a series of five tabs with options we need to tweak under some of them. First, on the “General” tab, we just verify the IP address of our ASA box:

SNAGHTML167c0cd4

On the “Options” tab, we have again the opportunity to save our credentials and perhaps tell the client when to disconnect a session if a period of inactivity exists. There is nothing interesting in the “PPP Settings…” dialog, so we proceed to the “Security” tab, where most of settings actually is done:

3-6-2013 6-13-02 PM

Here we must select “Layer 2 Tunneling Protocol with IPsec (L2TP/IPsec)” as the type of VPN. For data encryption we may use “Maximum strength encryption (disconnect if server declines)” or “Require encryption (disconnect if server declines)” , depending on our needs and how we set up our crypto settings on ASA, which is explained above in this blog. As for authentication, we have several options. Which one we will chose depends on security requirements and infrastructure in place. What we select here, must be supported on ASA or external identity store.

Now we click “Advanced settings”:

3-6-2013 6-14-02 PM

In here we select “Use pre-shared key for authentication” option, and specify the key. This key is a IKE phase one key and is used to authenticate our device, a PC or a smart phone. This key must match to a key configured under a “DefaultRAGroup” tunnel group, IPSec attributes section.

We could use the default option here, “Use certificate for authentication” but our infrastructure is not set up for RSA sig authentication, so we will stick to the PSK option.

It is now turn for the “Networking” tab:

3-6-2013 6-14-32 PM

In here we don’t need to change anything, but I like to turn off “Internet Protocol Version 6 (TCP/IPv6)” and “File and Printer Sharing for Microsoft Networks”.  Finally, the “Sharing” tab:

3-6-2013 6-14-48 PM

We don’t need to change anything here.

Now let’s try our connection. Under the “Networks” pane, we select our “L2TP/IPSec” connection, click “Connect” and provide a username and password combination. Then we click “OK”:

SNAGHTML167e41f3

Then wait a while:

SNAGHTML167fe850

Maybe it’s me, but it is quicker than traditional client. So, if we did all right, we have a connected status:

3-6-2013 6-19-39 PM

We can view a connection properties and see what encryption we are using, how we authenticate, which address we got and that kind of stuff:

SNAGHTML16817b25

And that’s it!

We now have working replacement for Cisco VPN client. I feel sorry for the “old dude”, but I guess we have to move on. In some future blog I will try to change this setup to use the certificate based authentication and perhaps some sort of EAP for user authentication.

Before I sign out, here is a complete, minimal, working configuration. Please have in mind that this ASA and laptop were connected to the same segment, so you will not find any NAT configuration in here. However, a NAT configuration is the same as with traditional IPSec client or Anyconnect.

ASA Version 9.0(1)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxxxxxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
ip local pool POOL1 10.77.77.1-10.77.77.128
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.77.78.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.1.0.200 255.255.255.0
!
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
!
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
!
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1
!
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside
crypto ca trustpool policy
!
crypto ikev1 enable outside
!
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value 4.2.2.2
vpn-tunnel-protocol l2tp-ipsec
default-domain value popravak.com
!
username sasa password uEwG7U3yQ+zmShyEXyAkEQ== nt-encrypted
!
tunnel-group DefaultRAGroup general-attributes
address-pool POOL1
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Thanks for reading!

Advertisements
This entry was posted in ASA, Cisco, Microsoft, Security, VPN and tagged , , , . Bookmark the permalink.

28 Responses to L2TP/IPSec with Windows 8/7 and Cisco ASA 8.x/9.x

  1. Pingback: Cisco Remote Access VPNs and Windows 8.1 | ping 8.8.8.8

  2. Paul279 says:

    thank you for your great tutorial – now it is working 🙂

  3. Nick says:

    that’s really a great tutorial… thank you very much…
    I just have a little question: is there a possibility to configure a split tunnel with this configuration?

    Thanks in advance for your help.

  4. Pingback: Windows7とCiscoASAのVPN接続時の覚え書き(L2TP/IPsecの場合)

  5. Alehandro says:

    great ! but cannot make it to work on 5505 7.2(4), just Cisco VPN CLient and Site2Site, no matter waht i do, windows 8 native client hangs con verifying username and password . . . . . and ends up with error 698

  6. Olesia says:

    great tutorial, but infortunately doesnt work for me (wind 8 and cisco asa 5505 Software Version 8.2(5), Device Manager Version 6.4(5)), gettin error 789: l2tp conection attempt failed because the security layer encountere a processing error . any help appreciated

  7. Paul says:

    same here, also getting error 789. does someone have a solution for this?

  8. Alehandro says:

    Olesia,Paul,Sosa: Finally found solution !!! on both pre 8.4 & 8.4, mail me your config i’ll explain u the changes needed

  9. georgez says:

    Thank you. Works as a configuration on 8.2.5 with small modifications because the version is older than the one with the example above.

    Hit the wall twice and can’t get out.

    1) Local authentication works but i need to make it working with microsoft ad. I have working configuration with IPSec and MS AD but with that configuration. Any way around?

    2) Worse problem. No network. The L2TP tunnel is established and I only can ping myself (the client). Nothing else. As soon as I drop the VPN, everything works just fine. At the same time my IPSec tunnel works great. The difference between both is:

    group-policy EMPLOYEES_L2TP_IPSEC internal
    group-policy EMPLOYEES_L2TP_IPSEC attributes
    dns-server value 172.16.0.181 172.16.0.180
    vpn-tunnel-protocol l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value all_internal_networks
    default-domain value blah.com

    group-policy EMPLOYEES_IPSEC internal
    group-policy EMPLOYEES_IPSEC attributes
    wins-server value 172.20.0.181 172.20.0.180
    dns-server value 172.20.0.181 172.20.0.180
    vpn-idle-timeout 30
    vpn-session-timeout 720
    vpn-tunnel-protocol IPSec svc webvpn
    password-storage enable
    ip-comp enable
    pfs enable
    ipsec-udp enable
    ipsec-udp-port 10000
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value all_internal_networks
    default-domain value blah.com
    webvpn
    svc compression deflate
    svc ask none default svc

    Any idea how to make EMPLOYEES_L2TP_IPSEC working?

    I already tried adding

    ipsec-udp enable
    ipsec-udp-port 10000

    to EMPLOYEES_L2TP_IPSEC

    and I can’t connect any more. As soon as I remove the udp, everything is good. Connecting but no network.

    Thank you.

  10. nbctcp says:

    How do I know how many IPSec License I have In my ASA5505

    Licensed features for this platform:
    Maximum Physical Interfaces : 8 perpetual
    VLANs : 20 DMZ Unrestricted
    Dual ISPs : Enabled perpetual
    VLAN Trunk Ports : 8 perpetual
    Inside Hosts : Unlimited perpetual
    Failover : Active/Standby perpetual
    Encryption-DES : Enabled perpetual
    Encryption-3DES-AES : Enabled perpetual
    AnyConnect Premium Peers : 25 perpetual
    AnyConnect Essentials : 25 perpetual
    Other VPN Peers : 25 perpetual
    Total VPN Peers : 25 perpetual
    Shared License : Enabled perpetual
    AnyConnect for Mobile : Enabled perpetual
    AnyConnect for Cisco VPN Phone : Enabled perpetual
    Advanced Endpoint Assessment : Enabled perpetual
    UC Phone Proxy Sessions : 24 perpetual
    Total UC Proxy Sessions : 24 perpetual
    Botnet Traffic Filter : Enabled perpetual
    Intercompany Media Engine : Disabled perpetual
    Cluster : Disabled perpetual

  11. Dave Bogdan says:

    excellent article. I still had an issue, then I turned off PFS. That fixed it.

  12. Maarten B says:

    Thanks for a very helpful article!
    Like a few others above me, I initially got error 789 (Windows 8.1 to ASA 5505). In my case the solution was to disable PFS on the ASA, as in:
    no crypto map MAP_OUTSIDE 10000 set pfs
    PFS is disabled by default, but it may get enabled if you run the ASDM VPN wizard. Hope this helps.

  13. Kerry says:

    Alehandro,

    I am in need of the “solution” for 8.4(4) Here is verbatim what I put on my ASA-5505 —

    crypto ikev1 enable outside

    crypto ikev1 policy 1000
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400

    crypto ikev1 policy 2000
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

    crypto ikev1 policy 3000
    authentication pre-share
    encryption aes
    hash sha
    group 2
    lifetime 86400

    ip local pool OH_L2TP_POOL 192.168.3.1-192.168.3.254 mask 255.255.255.0

    crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
    crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
    crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac

    crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1

    crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
    crypto map MAP_OUTSIDE interface outside

    group-policy OH_L2TP_IPSEC internal
    group-policy OH_L2TP_IPSEC attributes
    dns-server value 192.168.1.10
    vpn-tunnel-protocol l2tp-ipsec
    default-domain value (redacted)

    tunnel-group DefaultRAGroup general-attributes
    address-pool OH_L2TP_POOL
    default-group-policy OH_L2TP_IPSEC
    tunnel-group DefaultRAGroup ipsec-attributes
    ikev1 pre-shared-key (redacted)
    tunnel-group DefaultRAGroup ppp-attributes
    authentication ms-chap-v2

    I am connecting (trying) Windows 8.1 Pro to the ASA-5505 8.4(4)

    Thanks

  14. Kerry says:

    Sorry. This is what is showing up in my ASA logs.

    713257 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv’d: Unknown Cfg’d: Group 2

  15. VSP says:

    Thanks for the great write-up. I was stuck up with the L2TP setup and this helped me complete the setup 🙂

  16. neterr0r says:

    Excellent tutorial, thank a lot. You’ve just saved me A LOT of time!

  17. tv-center says:

    wonderflul THX great tutorial

    🙂

  18. Ogie says:

    Thanks for the write up. I have successfully connected windows 7 and mac OS X to ASA VPN. I”m having hard time to getting windows 10 to connect. I’m guessing the transform sets are not correct. would you be able to hint me which transform sets would work with windows 10.

    I have the following configured.

    crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA ESP-3DES-SHA-TRANS ESP-3DES-MD5-TRANS ESP-AES-128-SHA-TRANS
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map interface outside

    thank you.

  19. RIJOCUMO says:

    Hi, this is a great explanation.
    Work for me on other tunnel-group with ppp but this tunnel-group with mschapv2 don’t work.
    Can share my conf for help me?
    Thanks

  20. Oliver Jones says:

    This partially worked for me. I’m using split tunneling in my environment and I was able to get a connection established using this method, but it doesnt automatically create the appropriate routes. If I manually create the appropriate route, it works fine. I was able to get the Cisco IPSec client working on windows 10 (it was messy, I dont want to have to do it for everyone, hence I’m looking at this method) and it automatically creates the appropriate routes.

    Any thoughts?

    • Ryan says:

      In order to get split tunneling working correctly, may need two more setting you :

      First, on the client side: uncheck Use default gateway on remote network option
      here is how to locate that option: open the Properties of the L2TP VPN connection –>click on Networking tap–> select Internet Protocol Version4 –> Properties–> Advanced.–>on the IP Settings.

      Second, on the ASA side, edit the group policy that you use for the L2TP VPN, in the same page of the Split Tunneling, change the Intercept DHCP Configuration Message from Microsoft Clients from Inherit to Yes and the Subnet Mask choose 255.255.255.255

  21. RvdK says:

    Thanks for this info! Already a bit older article, but it still helped me a lot!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s