We would like to enable remote Windows XP clients to connect corporate network without installing VPN Client. We are trying to achieve this by using L2TP/IPSec provided by Microsoft Dial-Up Networking. We want IPSec (3DES) to be authenticated by certificates and PPP clients authenticated by RADIUS (AD) using MS-CHAP.
We have 39xx router with Security license as production router, however currently we performing investigation in lab environment with Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 12.4(22)YB, RELEASE SOFTWARE (fc2) (License Level: advipservices Type: Permanent). The rest of environment includes 2 AD controllers (used for RADIUS) and OpenSSL CA.
So far we have succeeded at establishing unsecured (with "ProhibitIpSec = 1" registry fix on client side) PPP connections over L2TP tunnels using MS-CHAP authentication in AD. After enabling IPSec ("ProhibitIpSec = 0") on the client L2TP tunnel failed to establish over existing ISAKMP SA.
Here's config we trying to get to work:
Current configuration : 18419 bytes
! Last configuration change at 06:48:25 UTC Fri May 21 2010 by me
aaa group server radius COMPANY
server IP1 auth-port 1645 acct-port 1646
server IP2 auth-port 1645 acct-port 1646
aaa authentication login default local
aaa authentication login RADIUS-COMPANY group COMPANY
aaa authentication ppp RADIUS-COMPANY group COMPANY local
aaa authorization network LOCAL-AUTHORIZATION local
aaa session-id common
crypto pki trustpoint OPENSSL
enrollment terminal pem
rsakeypair OPENSSL 1024
match certificate OPENSSL-CA
authorization username subjectname commonname
crypto pki certificate map OPENSSL-CA 10
subject-name co o = my company
crypto pki certificate chain OPENSSL
certificate ca 0...6
multilink bundle-name authenticated
no l2tp tunnel authentication
crypto isakmp policy 1
crypto isakmp client configuration group COMPANY-EMPLOYEES
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...