IPSEC/L2TP and Cisco VPN Client coexistence on ASA?

Unanswered Question
Aug 23rd, 2007
User Badges:

Does anyone know if it is possible to run an IPSEC/L2TP VPN concurrently with a IPSEC TUNNEL mode VPN for the Cisco VPN client on an ASA?

I have a customer who wants to use IPSEC over L2TP for most clients, but wants to use the Cisco VPN client to support Windows Vista clients. Phase 1 negotiation works fine, but Phase 2 only works for the Transform set with the highest priority. Effectively, this means that either the Windows DUN client or the Cisco VPN Client will negotiate Phase 2 depending on which Transform set is configured with the higher priority.

In the following configuration, Phase 2 for the IPSEC/L2TP VPN (outside_dyn_map 20) establishes, but Phase 2 for the Cisco VPN Client tunnel (outside_dyn_map 30) fails due to no valid SA?s.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

>crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

>crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

>crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5

>crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

>crypto map outside_map interface outside

If I change the priority of the transform sets, then the opposite occurs.

>crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

Any insight insight would be appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Florian Pressler Wed, 09/12/2007 - 03:44
User Badges:

In the document you give there is no hint on how to do that.



Florian Pressler Wed, 09/12/2007 - 03:42
User Badges:

I currently want to achieve the same (this is why I found this post), but I've found no good way to do it yet.

It's not doable by tunnel-group-matching or similar tricks (I think), as the crypto-map comes logically before that. You can do matching of different transform-sets via the the crypto map match address statement, but this is of course not what you want - you want to be able to connect the ASA via L2TP/IPSEC AND IPSEC from ANYWHERE.

At least I can give a workaround: You can configure an access-list which permits L2TP-traffic and then match the transform set on that.

access-list L2TP extended permit udp any eq 1701 any

crypto dynamic-map DYNMAP 10 match address L2TP

WARNING: access-list has port selectors. This may impact performance.

So in the end the crypto map looks like this:

crypto ipsec transform-set IPSEC-TFSET esp-3des esp-sha-hmac

crypto ipsec transform-set L2TP-TFSET esp-3des esp-md5-hmac

crypto ipsec transform-set L2TP-TFSET mode transport

crypto dynamic-map DYNMAP 10 match address L2TP

crypto dynamic-map DYNMAP 10 set transform-set IPSEC-TFSET L2TP-TFSET

crypto dynamic-map DYNMAP 10 set reverse-route

crypto dynamic-map DYNMAP 20 set transform-set L2TP-TFSET IPSEC-TFSET

crypto dynamic-map DYNMAP 20 set reverse-route

crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP interface outside

The downside of this method is presumable bad performance - note the warning. At least it works.




This Discussion