IPSEC/L2TP and Cisco VPN Client coexistence on ASA?
Does anyone know if it is possible to run an IPSEC/L2TP VPN concurrently with a IPSEC TUNNEL mode VPN for the Cisco VPN client on an ASA?
I have a customer who wants to use IPSEC over L2TP for most clients, but wants to use the Cisco VPN client to support Windows Vista clients. Phase 1 negotiation works fine, but Phase 2 only works for the Transform set with the highest priority. Effectively, this means that either the Windows DUN client or the Cisco VPN Client will negotiate Phase 2 depending on which Transform set is configured with the higher priority.
In the following configuration, Phase 2 for the IPSEC/L2TP VPN (outside_dyn_map 20) establishes, but Phase 2 for the Cisco VPN Client tunnel (outside_dyn_map 30) fails due to no valid SA?s.
Re: IPSEC/L2TP and Cisco VPN Client coexistence on ASA?
I currently want to achieve the same (this is why I found this post), but I've found no good way to do it yet.
It's not doable by tunnel-group-matching or similar tricks (I think), as the crypto-map comes logically before that. You can do matching of different transform-sets via the the crypto map match address statement, but this is of course not what you want - you want to be able to connect the ASA via L2TP/IPSEC AND IPSEC from ANYWHERE.
At least I can give a workaround: You can configure an access-list which permits L2TP-traffic and then match the transform set on that.
access-list L2TP extended permit udp any eq 1701 any
crypto dynamic-map DYNMAP 10 match address L2TP
WARNING: access-list has port selectors. This may impact performance.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...