When it comes to implementing remote access VPN, there are many options. Check out my article on deciding among PPTP vs L2TP/IPSec vs SSTP vs IKEv2 vs OpenVPN. In that article, I listed a few things to look for when trying to pick a VPN protocol. PPTP is the first one to throw out because of its lack of data integrity check and security vulnerabilities.. L2TP/IPSec and IKEv2 were the ones I recommended. In this article, we’ll cover configuring L2TP over IPSec VPN on Cisco ASA. Both pre-8.3 code and post-8.3 code configuration samples are included.

Save time by downloading the validated configuration scripts and have your VPN up in minutes.

What is L2TP/IPSec

L2TP is a combination of PPTP and Layer 2 Forwarding (L2F), a technology developed by Cisco. L2TP combines the best features of PPTP and L2F. Even the underlying tunneling technology still utilizes PPP specifications. the encryption is done by IPSec in transport mode. L2TP/IPSec protocol uses UDP port 500.

Encapsulation

L2TP has two layers of encapsulations – inner L2TP encapsulation and outer layer IPSec encapsulation. The inner layer comprised of an L2TP header and a UDP header wrapped around the PPP frame. The outer layer adds IPSec ESP (Encapsulating Security Payload) header and trailer to the first layer. The IPSec authentication trailer provides message integrity check and authentication.

CiacoASA-L2TP-IPSEC-VPN-diagram

Encryption

Data encryption is done with one of the following protocols by using encryption keys generated from the IKE negotiation process. AES-256 (Advanced Encryption Standard), AES-192, AES-128, and 3DES encryption algorithms. Since vulnerabilities have been found in 3DES algorithms, using 3DES is no longer recommended.

Why I recommend

Unlike PPTP and SSTP, L2TP/IPsec enables machine authentication at the IPsec layer and user level authentication at the PPP layer. It supports either computer certificates or a pre-shared key as the authentication method for IPsec. L2TP/IPsec provides data confidentiality, data integrity, and data authentication.

Furthermore, L2TP/IPSec supports the highest encryption. It checks data integrity and encapsulates the data twice. It is not the fastest VPN solution because of the double encapsulation overhead but you can’t really notice it running on the modem hardware.

Next we’ll dive right into the configuration part.

Network Topology

A simple network is composed of a Corp LAN, a Cisco ASA acting as an Internet gateway and firewall. Remote VPN users connect to the Corp LAN using L2TP/IPSec VPN. A DHCP pool is reserved on the ASA for VPN users. We’ll also implement “split tunneling” so that regular Internet traffic is not sent through the tunnel. For simplicity, VPN user authentication is done locally on the ASA. You can configure RADIUS authentication to an AD. It is outside the scope of this article.

  • Corp LAN: 172.30.30.0/24
  • DHCP Pool for VPN users: 192.168.199.100 – 200

L2tp-IPSec-VPN-CiscoASA

 

Configuring L2TP over IPSec VPN on Cisco ASA Configuration Example

In this session, a step-by-step configuration tutorial is provided for both pre-8.3 and post-8.3 code. Save time by downloading the validated configuration scripts and have your VPN up in minutes.

Step 1: Configure a DHCP Pool for VPN users

This address pool should not overlap with your existing network. It is not a good idea to share a portion of your existing LAN subnet with VPN users. If you put them on the same network, they would have access to everything on the same subnet. For better security and flexible traffic control, I would put VPN users on their own subnet, and in a range that can be expressed by a subnet mask. For example 192.168.199.129 – 254 /25 (subnet mask 255.255.255.128). The benefit is that you can do route summarization, ACL to cover this subnet easily and cleanly.

ip local pool VPNPOOL 192.168.199.129-192.168.199.254 mask 255.255.255.128

Step 2: Create group-policy and tunnel-group

Note that I use all capital letters for variables being referenced in the command. They are just a name, you can name them anything make sense in your environment.

group-policy SSLGROUPPOLICY internal
group-policy SSLGROUPPOLICY attributes
dns-server value 4.2.2.2 ! --- can be your internal DNS servers or public DNS servers
vpn-tunnel-protocol l2tp-ipsec ! --- specifying the protocol being used
default-domain value speaknetworks.com
intercept-dhcp enable
!

Next we define a “Tunnel Group” for the tunnel, You MUST use the default group with default name “DefaultRAGroup“ (the only exception is if you use certificate based authentication).

tunnel-group DefaultRAGroup general-attributes
address-pool VPNPOOL ! --- VPN user will be assigned with an IP in the pool
default-group-policy SSLGROUPPOLICY ! --- references the group-policy defined earlier
authentication-server-group LOCAL ! --- user local authentication
!
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2

! Pre-8.3 code
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key MyVPNPassWord#@ ! --- It is the group password for all VPN users
!
! Post-8.3 code
tunnel-group DefaultRAGroup ipsec-attributes
Ikev1 pre-shared-key MyVPNPassWord#@ ! --- It is the group password for all VPN users

Step 3: Configure VPN Phase 1 and Phase 2

You’ll see didn’t follow the logical order of configuring Phase 1, Phase 2. It is because later configuration are being referenced by earlier configuration in the CLI. I arranged the configuration order so that it is the actual workflow- define a parameter, reference it in a modular configuration, apply the modular to global configuration.

First define transform-set used in Phase 2. In this example, we use 3DES encryption and SHA hashing. The tunnel will be in transport mode instead of VPN mode (default).

! Pre-8.3 code
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA mode transport
! Post-8.3 code
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport

Next we prepare for Phase 2 configuration. We configure a “dynamic-map” to use the transform-set defined above. Then setup a crypto map, referencing the dynamic-map, and assign it to the outside interface of the ASA. The outside interface is Internet facing where VPN users come in from. The numbers 10 and 20 are arbitrary sequential numbers to differentiate one crypto map / VPN tunnels from another. You can have multiple VPN tunnels terminated on a single ASA.

! Pre-8.3 code
crypto dynamic-map L2TP-MAP 10 set transform-set ESP-3DES-SHA
crypto map L2TPVPN 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TPVPN interface outside
! Post-8.3 code
crypto dynamic-map L2TP-MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto map L2TPVPN 20 ipsec-isakmp dynamic L2TP-MAP
crypto map L2TPVPN interface outside

Phase 1 configuration is followed. We create a Phase 1 policy, which defines using pre-share key for authentication, SHA for hashing and Diffie Hellman group 2 for secure key exchange. The number “10” is a sequential number that the ASA checks in that order. If you want a policy to be evaluated first, make a smaller number. Finally we enable the IKE on the outside interface.

! Pre-8.3 code
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto isakmp enable outside

! Post-8.3 code
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto ikev1 enable outside

Step 4: Split-Tunneling configuration

By default, all traffic is sent through the VPN tunnel once a client is connected. Even though it is the most secure way to manage VPN users (i.e. web content filtering), in a lot of instances people prefer splitting the Internet traffic off the VPN tunnel to save Internet bandwidth on the VPN headend such as a Corp network.

! Configure a standard ACL to cover Corp LAN
access-list Split-Tunnel-ACL standard permit 172.30.30.0 255.255.255.0

Configure NAT exclusion between Corp LAN and VPN users

! Pre-8.3 code
access-list nonat extended permit ip 172.30.30.0 255.255.255.0 192.168.199.0 255.255.255.0
nat (inside) 0 access-list nonat
! Post-8.3 code
object network Corp-Subnet
subnet 172.30.30.0 255.255.255.0
!
object network L2TP-Subnet
subnet 192.168.199.128 255.255.255.128
!
nat (inside,outside) source static Corp-Subnet Corp-Subnet destination static L2TP-Subnet L2TP-Subnet no-proxy-arp route-lookup
! Add Split-Tunneling configuration to the group-policy
group-policy SSLGROUPPOLICY attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split-Tunnel-ACL

Step 5: Lastly, configure local VPN user accounts on the ASA

Don’t overlook the keyword “mschap” in the end when you creating user accounts on the ASA. Without it, users would not be able to connect to the VPN.

username vpnuser password PASS123 mschap

You have completed configuring L2TP over IPSec VPN on Cisco ASA.

Save time by downloading the validated configuration scripts and have your VPN up in minutes.

Troubleshooting

The most common issues that I have seen many people ran into including myself. I thought it is a good idea to document them here for your reference.

Issue 1: Authentication failed

You must configure a local username account with “mschap” keyword.

If you didn’t add the mschap keyword in the end when creating a user account, you get this error in logs. ASA complains about no username identified. The ASA only uses the accounts with mschap option enabled.

Jul 12 2016 11:28:49: %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 67.52.159.6, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:03s, Bytes xmt: 3468, Bytes rcv: 3090, Reason: L2TP initiated

ASA# username vpnuser password PASS123 ?
configure mode commands/options:
encrypted Indicates the <password> entered is encrypted
mschap The password will be converted to unicode and hashed using MD4. User entries must be created this way if they are to be authenticated using MSCHAPv1 or MSCHAPv2
nt-encrypted Indicates the <password> entered has been converted to unicode and hashed using MD4, and can be used for MS-CHAP.
privilege Enter the privilege level for this user

ASA# username vpnuser password PASS123 mschap
ASA# sho run | i username
username vpnuser password tVwP2tvXdJ1aoRMBIoF7TA== nt-encrypted 

If you didn’t add the mschap keyword in the end when creating a user account, you get this error in logs. ASA complains about no username identified. The ASA only uses the accounts with mschap option enabled.

Jul 12 2016 11:28:49: %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 67.52.159.6, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:03s, Bytes xmt: 3468, Bytes rcv: 3090, Reason: L2TP initiated

Issue 2: Tunnel-group issue

You HAVE TO use the default tunnel-group named DefaultRAGroup. If you used any other tunnel group names, you’ll get error in the logs.

Jul 12 2016 11:26:29: %ASA-4-713903: Group = 66.52.19.6, IP = 66.52.19.6, Can’t find a valid tunnel group, aborting…!
Jul 12 2016 11:26:32: %ASA-4-713903: IP = 66.52.19.6, Header invalid, missing SA payload! (next payload = 4)
Jul 12 2016 11:26:35: %ASA-4-713903: IP = 66.52.19.6, Header invalid, missing SA payload! (next payload = 4)

Issue 3: Connected to VPN but unable to access Corp LAN hosts

After the VPN is connected, you found that the ASA inside interface is the only IP you can ping (assuming icmp is allowed on ASA). And errors show in the logs:

Jul 13 2016 09:51:51: %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:192.168.199.129 dst inside:172.30.30.30 (type 8, code 0) denied due to NAT reverse path failure

The most common cause of this error is NAT exemption. Make sure you have “nonat” configured in the pre-8.3 code and “nat (inside,outside)” statement configured in post-8.3 code.

Still having issue? Use packet-tracer to verify traffic flow

ASA# packet-tracer input outside icmp 192.168.199.100 8 0 172.30.30.30

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.30.30.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_inside in interface outside
access-list outside_access_inside extended permit icmp any any

Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: L2TP-PPP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside) 1 172.30.30.0 255.255.255.0
match ip inside 172.30.30.0 255.255.255.0 outside any
dynamic translation to pool 1 (76.176.134.86 [Interface PAT])
translate_hits = 623987, untranslate_hits = 96153
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1700646, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

If you do not have “NAT exemption” configured, you’ll get:

Phase: 10
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (inside) 1 172.30.30.0 255.255.255.0
match ip inside 172.30.30.0 255.255.255.0 outside any
dynamic translation to pool 1 (76.176.134.86 [Interface PAT])
translate_hits = 623719, untranslate_hits = 96134

It concludes the tutorial on configuring L2TP over IPSec VPN on Cisco ASA. I hope you find the information helpful. If you have questions or VPN issues not documented here, please leave a comment below. I’ll be happy to help.