Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Microsoft l2tp IPSec on top of ASA site to site VPN

I have a specialized casino applications that requires end-to-end encryption. I am running the Microsoft l2tp IPSec stack between my XP machine and my Windows 2003 server on the LAN. Can I run the same type of Microsoft l2tp IPSec protocol stack between my XP machine and a branch office Windows 2003 server over an ASA to ASA site-to-site VPN tunnel? The ASA site-to-site VPN is an IPSec Preshare key type VPN that tunnels the traffic between our headquarters and a remote branch office.

In other words, will the ASA site-to-site IPSec VPN allow the encrypted Microsoft l2tp IPSec traffic through? My tunnel ACL would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

access-list nat_zero extended permit ip TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Microsoft l2tp IPSec on top of ASA site to site VPN

Hi,

Yes, the L2TP can be encapsulated in IPSEC like any other traffic.

However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.

Cheers,

Daniel

3 REPLIES

Re: Microsoft l2tp IPSec on top of ASA site to site VPN

Hi,

Yes it is possible to use L2TP/IPSEC Microsoft client to connect to the ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Please rate if this helped.

Regards,

Daniel

New Member

Re: Microsoft l2tp IPSec on top of ASA site to site VPN

You misread the issue. I am running a tunnel inside a tunnel. Please re-read.

Thank you.

Re: Microsoft l2tp IPSec on top of ASA site to site VPN

Hi,

Yes, the L2TP can be encapsulated in IPSEC like any other traffic.

However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.

Cheers,

Daniel

313
Views
0
Helpful
3
Replies
CreatePlease login to create content