ASA 5510 RA VPN with Tunnel Group Switching

Unanswered Question
Jan 21st, 2010

Hi all

I read this document on configuring MS L2TP VPN with ASA firewall using ASDM. At the half way mark, there're comments on how to configure Tunnel Group Switching (TGS). I have followed the procedure but simply could not connect my MS VPN connection. Can someone point me to other document that shows how TGS is configured in more details? What I'd like to do is to:

- use the delimeter '#' as username#tunnelgroupname

- use Preshared key for the tunnel group

- authenticate user using LOCAL

- assign IP address in different IP pools (which will be associated to the tunnel group)

Thanks in advance for your inputs

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vincent-n Mon, 01/25/2010 - 16:59

More information on what it is that I'm trying to achieve and found.

Objective: Allow multiple MS L2TP connections from multiple users. The users are programmed to obtain different IP addresses from different IP Pools so that ACL can be applied appropriately. Users are configured in LOCAL database on the ASA firewall.

Found: MS L2TP connections will always use the default group policy (GP) DfltGrpPolicy on the firewall which will accept L2TP,IPSec and WebVPN. This GP will then use the default connection profile DefaultRAGroup.

Also found that you can associate IP Pool to a connection profile (CP). You can potentially create multiple CP that associate to the appropriate IP Pool.

Also found that you can associate a user's attribute to lock in a GP and a CP.

Work: Went through the VPN Wizard and create a L2TP CP and GP accepting L2TP clients. The system created an additional GP named DefaultRAGroup. During the creation of this VPN connection, I had to associate the connection to an IP Pool (IP1) that was created previously.

Test: No problem with L2TP connection to the firewall.

Work: Created a new CP (named CP#2) and associate this CP to a new IP Pool (IP2). Created a second LOCAL user and lock the GP as DfltGrpPolicy and also lock CP#2. Also cleared the IP Pool (IP1) associated to DefaultRAGroup.

Test: Connect in, the firewall will pass VPN Phase1 and Phase2 but will error stating "IPAA: Error freeing IP address". Also tried connecting in using the first (original) L2TP setting and received the same error message.

Conclusion:  Since Phase1 and Phase2 are completed, the problem now is with assigning IP address to client.

I looked into the Reference Guide but cannot find any user's attibute that can lock in an IP Pool.

Has anyone successfully created L2TP connections for multiple users with multiple IP Pools using LOCAL database?

vincent-n Sun, 01/31/2010 - 03:40

OK, I found my own solution and thought that I'll share the knowledge with others.

The only way I found to get this working was to wipe the VPN config and start again.

1. First, make sure that you'll get your MS L2TP clients working. I only need to modify a few settings in the 'Connection Profile' (Tunnel Policy) and the Group Profile (Tunnel Group). The TP used is the DefaultRAGRoup and the TG is the DfltGroupPolicy. At this point, you might have to create a temp local IP Pool and associate it to the TP so the client can connect. Or else the firewall will spit out error message 'IPAA: Error freeing address'

2. Create your local LOCAL users on the ASA. Make sure that the 'Dedicated IP Address' field is filled out with the client's static IP address and the subnet mask.

3. Enable the command 'vpn-addr-assign aaa' at global config

4. Unassociate the IP Pool from the TP mentioned in step 1

5. Test the connection.



This Discussion

Related Content