Solved: Microsoft l2tp IPSec on top of ASA site to site VPN

echuang · ‎07-28-2008

I have a specialized casino applications that requires end-to-end encryption. I am running the Microsoft l2tp IPSec stack between my XP machine and my Windows 2003 server on the LAN. Can I run the same type of Microsoft l2tp IPSec protocol stack between my XP machine and a branch office Windows 2003 server over an ASA to ASA site-to-site VPN tunnel? The ASA site-to-site VPN is an IPSec Preshare key type VPN that tunnels the traffic between our headquarters and a remote branch office.

In other words, will the ASA site-to-site IPSec VPN allow the encrypted Microsoft l2tp IPSec traffic through? My tunnel ACL would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

access-list nat_zero extended permit ip TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0

5220 · ‎07-31-2008

Hi,

Yes, the L2TP can be encapsulated in IPSEC like any other traffic.

However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.

Cheers,

Daniel

View solution in original post

5220 · ‎07-30-2008

Hi,

Yes it is possible to use L2TP/IPSEC Microsoft client to connect to the ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Please rate if this helped.

Regards,

Daniel

echuang · ‎07-30-2008

You misread the issue. I am running a tunnel inside a tunnel. Please re-read.

Thank you.

5220 · ‎07-31-2008

Hi,

Yes, the L2TP can be encapsulated in IPSEC like any other traffic.

However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.

Cheers,

Daniel