Microsoft l2tp IPSec on top of ASA site to site VPN

Answered Question
Jul 28th, 2008
User Badges:

I have a specialized casino applications that requires end-to-end encryption. I am running the Microsoft l2tp IPSec stack between my XP machine and my Windows 2003 server on the LAN. Can I run the same type of Microsoft l2tp IPSec protocol stack between my XP machine and a branch office Windows 2003 server over an ASA to ASA site-to-site VPN tunnel? The ASA site-to-site VPN is an IPSec Preshare key type VPN that tunnels the traffic between our headquarters and a remote branch office.


In other words, will the ASA site-to-site IPSec VPN allow the encrypted Microsoft l2tp IPSec traffic through? My tunnel ACL would allow full IP access between site. Something like:


name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet


access-list nat_zero extended permit ip TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0


Correct Answer by Daniel Voicu about 8 years 10 months ago

Hi,


Yes, the L2TP can be encapsulated in IPSEC like any other traffic.


However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.


Cheers,

Daniel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
echuang Wed, 07/30/2008 - 07:12
User Badges:

You misread the issue. I am running a tunnel inside a tunnel. Please re-read.


Thank you.

Correct Answer
Daniel Voicu Thu, 07/31/2008 - 03:28
User Badges:
  • Silver, 250 points or more

Hi,


Yes, the L2TP can be encapsulated in IPSEC like any other traffic.


However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.


Cheers,

Daniel

Actions

This Discussion