09-03-2010 07:40 AM - edited 02-21-2020 04:49 PM
I have a strange problem. I have configured the ASA5510 to allow access to lt2p-ipsec clients and cisco vpn clients to the same network after establishing connectivity. Cisco VPN clients are able to hit the remote servers but l2tp-ipsec are not. Both authenticate to the same IAS server.
LT2P commands:
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel
tunnel-group DefaultRAGroup general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
Cisco VPN Clients
group-policy DMZ-RA-VPN-GROUP internal
group-policy DMZ-RA-VPN-GROUP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel
tunnel-group DMZ-RA-VPN-GROUP type remote-access
tunnel-group DMZ-RA-VPN-GROUP general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DMZ-RA-VPN-GROUP
tunnel-group DMZ-RA-VPN-GROUP ipsec-attributes
pre-shared-key *****
09-03-2010 08:47 AM
remove pfs if configured for l2tp transform set as it does not support pfs
make the transform set as trnasport for l2tp
if the above dont work then try the following too
use aes in phase 1 and phase 2 instead of 3des
09-03-2010 08:49 AM
forgot to mention one more thing
also please paste your ip pool for l2tp clients and your nat statement, make sur ethat you have your nat exempt right
if possible paste your config
09-03-2010 09:15 AM
Both share the same ACL and it is exampt...below are the relevant config
object-group network DMZ
network-object 192.168.24.0 255.255.254.0
object-group network RAS_Users
network-object 172.16.10.0 255.255.255.0
access-list RAVPN_Split_Tunnel standard permit 192.168.24.0 255.255.254.0
access-list nonat-traffic extended permit ip object-group DMZ object-group RAS_Users
ip local pool CARTVPN 172.16.10.1-172.16.10.254
nat (inside) 0 access-list nonat-traffic
crypto ipsec transform-set NJ1 esp-3des esp-md5-hmac
crypto ipsec transform-set CART-PPTP esp-3des esp-sha-hmac
crypto ipsec transform-set CART-PPTP mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set transform-set CART-PPTP NJ1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
09-08-2010 06:05 AM
Manually adding a static route to the workstation (pptp vpn client) allow the user to access to the remote LAN. I don't have to do this with the Cisco VPN Client.
09-08-2010 07:10 AM
what you need is
crypto dynamic-map set reverse route
try putting that
crypto dynamic-map dynmap 20 set reverse route
09-08-2010 07:59 AM
No luck. Below you will find the sh cryp isakmp sa and the sh vpn-sessiondb detail remote. As noted earlier, Cisco VPN Clients are just fine. The problem seems to only be with L2TP clients.
sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 63.x.x.x
Type : user Role : responder
Rekey : no State : MM_ACTIVE
sh vpn-sessiondb det remote
Session Type: IPsec Detailed
Username : ciscovpntest Index : 273
Assigned IP : 172.16.10.1 Public IP : 63.x.x.x
Protocol : IKE IPsecOverNatT L2TPOverIPsecOverNatT
License : IPsec
Encryption : 3DES Hashing : MD5 SHA1
Bytes Tx : 2519 Bytes Rx : 9410
Pkts Tx : 49 Pkts Rx : 92
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : DefaultRAGroup Tunnel Group : DefaultRAGroup
Login Time : 10:25:40 EDT Wed Sep 8 2010
Duration : 0h:28m:54s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKE Tunnels: 1
IPsecOverNatT Tunnels: 1
L2TPOverIPsecOverNatT Tunnels: 1
IKE:
Tunnel ID : 273.1
UDP Src Port : 43484 UDP Dst Port : 4500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : MD5
Rekey Int (T): 28800 Seconds Rekey Left(T): 27066 Seconds
D/H Group : 2
Filter Name :
IPsecOverNatT:
Tunnel ID : 273.2
Local Addr : 208.x.x.x/255.255.255.255/17/1701
Remote Addr : 63.x.x.x/255.255.255.255/17/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Transport
Rekey Int (T): 3600 Seconds Rekey Left(T): 1862 Seconds
Rekey Int (D): 250000 K-Bytes Rekey Left(D): 249991 K-Bytes
Idle Time Out: 1440 Minutes Idle TO Left : 1439 Minutes
Bytes Tx : 2519 Bytes Rx : 9410
Pkts Tx : 49 Pkts Rx : 92
L2TPOverIPsecOverNatT:
Tunnel ID : 273.3
Username : ciscovpntest
Assigned IP : 172.16.10.1 Public IP : 63.x.x.x
Encryption : none Auth Mode : msCHAPV2
Idle Time Out: 1440 Minutes Idle TO Left : 1435 Minutes
Client OS : Microsoft
Client OS Ver: 5.0
Bytes Tx : 422 Bytes Rx : 6104
Pkts Tx : 16 Pkts Rx : 56
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 1740 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
09-08-2010 08:33 AM
i can sent the packets sent and rcd please paste the output of sh cry ips sa peer 63.x just to confirm this behaviour
also since u r saying that adding static routes on client fixes the issue please paste route print from cmd prompt from client after connecting
09-08-2010 09:18 AM
09-08-2010 09:38 AM
A) You don't have a tunnel-specified statement in the L2TP group. So the ASA may not push those.
B) L2TP clients will need a dhcp-intercept statement to do that as well.
C) It won't work anyway on Vista,Win7 since Microsoft discontinued supporting pushing routes that way after XP.
The only way to get split tunneling working with a native L2TP client on Vista or Win7 is to have your
pool in the same classful range as the network the hosts which they are trying to reach.
Some details on this mess are here:
09-08-2010 10:03 AM
Hi,
Thanks for the reply.
a) I do have tunnelspecified in the default policy group:
LT2P commands:
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel
I actually thought of putting the pool in the same subnet but was reluctant to do so till i figure this thing out.
09-08-2010 10:35 AM
Sorry I read that config too fast... but still, try adding dhcp-intercept and test with an XP client.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: