Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC/L2TP and Cisco VPN Client coexistence on ASA?

Does anyone know if it is possible to run an IPSEC/L2TP VPN concurrently with a IPSEC TUNNEL mode VPN for the Cisco VPN client on an ASA?

I have a customer who wants to use IPSEC over L2TP for most clients, but wants to use the Cisco VPN client to support Windows Vista clients. Phase 1 negotiation works fine, but Phase 2 only works for the Transform set with the highest priority. Effectively, this means that either the Windows DUN client or the Cisco VPN Client will negotiate Phase 2 depending on which Transform set is configured with the higher priority.

In the following configuration, Phase 2 for the IPSEC/L2TP VPN (outside_dyn_map 20) establishes, but Phase 2 for the Cisco VPN Client tunnel (outside_dyn_map 30) fails due to no valid SA?s.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

>crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

>crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

>crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-MD5

>crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

>crypto map outside_map interface outside

If I change the priority of the transform sets, then the opposite occurs.

>crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

Any insight insight would be appreciated.

Jacob

4 REPLIES
Bronze

Re: IPSEC/L2TP and Cisco VPN Client coexistence on ASA?

It is possible to configure IPSEC/L2TP with IPSEC Tunnel.

http://cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdml2tp.html

New Member

Re: IPSEC/L2TP and Cisco VPN Client coexistence on ASA?

In the document you give there is no hint on how to do that.

Regards,

Florian

New Member

Re: IPSEC/L2TP and Cisco VPN Client coexistence on ASA?

I currently want to achieve the same (this is why I found this post), but I've found no good way to do it yet.

It's not doable by tunnel-group-matching or similar tricks (I think), as the crypto-map comes logically before that. You can do matching of different transform-sets via the the crypto map match address statement, but this is of course not what you want - you want to be able to connect the ASA via L2TP/IPSEC AND IPSEC from ANYWHERE.

At least I can give a workaround: You can configure an access-list which permits L2TP-traffic and then match the transform set on that.

access-list L2TP extended permit udp any eq 1701 any

crypto dynamic-map DYNMAP 10 match address L2TP

WARNING: access-list has port selectors. This may impact performance.

So in the end the crypto map looks like this:

crypto ipsec transform-set IPSEC-TFSET esp-3des esp-sha-hmac

crypto ipsec transform-set L2TP-TFSET esp-3des esp-md5-hmac

crypto ipsec transform-set L2TP-TFSET mode transport

crypto dynamic-map DYNMAP 10 match address L2TP

crypto dynamic-map DYNMAP 10 set transform-set IPSEC-TFSET L2TP-TFSET

crypto dynamic-map DYNMAP 10 set reverse-route

crypto dynamic-map DYNMAP 20 set transform-set L2TP-TFSET IPSEC-TFSET

crypto dynamic-map DYNMAP 20 set reverse-route

crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP interface outside

The downside of this method is presumable bad performance - note the warning. At least it works.

Regards,

Florian

New Member

Re: IPSEC/L2TP and Cisco VPN Client coexistence on ASA?

you can specify both tunnel and transport mode IPSEC transform-sets in a single dynamic-map sequence

468
Views
0
Helpful
4
Replies