Remote access via VPN client of Microsoft L2TP client and Cisco VPN Client

Unanswered Question
Jul 2nd, 2007

I am trying to configure to make my both clients working with my PIX 515

Is it possible to configure in the same time or not?

As I understand there is a different between Cisco VPN Client and Microsoft client that they are using different transform sets (Tunnel/Transport)

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Florian Pressler Wed, 09/12/2007 - 03:53

I currently want to achieve the same (this is why I found this post), but I've found no good way to do it yet.

It's not doable by tunnel-group-matching or similar tricks (I think), as the crypto-map comes logically before that. You can do matching of different transform-sets via the the crypto map match address statement, but this is of course not what you want - you want to be able to connect the ASA via L2TP/IPSEC AND IPSEC from ANYWHERE.

At least I can give a workaround: You can configure an access-list which permits L2TP-traffic and then match the transform set on that.

access-list L2TP extended permit udp any eq 1701 any

crypto dynamic-map DYNMAP 10 match address L2TP

WARNING: access-list has port selectors. This may impact performance.

So in the end the crypto map looks like this:

crypto ipsec transform-set IPSEC-TFSET esp-3des esp-sha-hmac

crypto ipsec transform-set L2TP-TFSET esp-3des esp-md5-hmac

crypto ipsec transform-set L2TP-TFSET mode transport

crypto dynamic-map DYNMAP 10 match address L2TP

crypto dynamic-map DYNMAP 10 set transform-set L2TP-TFSET

crypto dynamic-map DYNMAP 10 set reverse-route

crypto dynamic-map DYNMAP 20 set transform-set IPSEC-TFSET

crypto dynamic-map DYNMAP 20 set reverse-route

crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP interface outside

The downside of this method is presumable bad performance - note the warning. At least it works.




This Discussion