Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
3
Replies

Microsoft l2tp IPSec on top of ASA site to site VPN

Go to solution
echuang
Level 1
Level 1

‎07-28-2008 10:23 PM - edited ‎02-21-2020 03:51 PM

I have a specialized casino applications that requires end-to-end encryption. I am running the Microsoft l2tp IPSec stack between my XP machine and my Windows 2003 server on the LAN. Can I run the same type of Microsoft l2tp IPSec protocol stack between my XP machine and a branch office Windows 2003 server over an ASA to ASA site-to-site VPN tunnel? The ASA site-to-site VPN is an IPSec Preshare key type VPN that tunnels the traffic between our headquarters and a remote branch office.

In other words, will the ASA site-to-site IPSec VPN allow the encrypted Microsoft l2tp IPSec traffic through? My tunnel ACL would allow full IP access between site. Something like:

name 192.168.100.0 TexasSubnet

name 192.168.200.0 RenoSubnet

access-list nat_zero extended permit ip TexasSubnet 255.255.255.0 RenoSubnet 255.255.255.0

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
5220
Level 4
Level 4
In response to echuang

‎07-31-2008 03:28 AM

Hi,

Yes, the L2TP can be encapsulated in IPSEC like any other traffic.

However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.

Cheers,

Daniel

View solution in original post

0 Helpful
3 Replies 3

Go to solution
5220
Level 4
Level 4

‎07-30-2008 12:47 AM

Hi,

Yes it is possible to use L2TP/IPSEC Microsoft client to connect to the ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Please rate if this helped.

Regards,

Daniel

0 Helpful

Go to solution
echuang
Level 1
Level 1
In response to 5220

‎07-30-2008 07:12 AM

You misread the issue. I am running a tunnel inside a tunnel. Please re-read.

Thank you.

0 Helpful

Go to solution
5220
Level 4
Level 4
In response to echuang

‎07-31-2008 03:28 AM

Hi,

Yes, the L2TP can be encapsulated in IPSEC like any other traffic.

However, make sure no NAT is performed on either end. L2TP has a header protection that by default that will see NAT as packet tampering and will discard it.

Cheers,

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents