ASA 5525 l2tp ipsec vpn

ASA Configuration Using CLI

Step 1. Configure IKE Phase 1 policy parameters.

This policy is used to protect control traffic between the peers (that is, it protects pre-shared key and phase 2 negotiations)

ciscoasa(config)#crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)#authentication pre-share
ciscoasa(config-ikev1-policy)#encryption 3des
ciscoasa(config-ikev1-policy)#hash sha
ciscoasa(config-ikev1-policy)#group 2
ciscoasa(config-ikev1-policy)#lifetime 86400
ciscoasa(config-ikev1-policy)#exit 

Step 2. Configure Transform-set.

It contains IKE Phase 2 policy parameters which are used to protect the data traffic. Since the Windows L2TP/IPsec client uses IPsec transport mode, set the mode to transport. The default is tunnel mode

ciscoasa(config)#crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
ciscoasa(config)#crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport

Step 3. Configure dynamic map.

As windows clients get dynamic IP address fron ISP or local DHCP server (example modem), ASA is not aware about the peer IP address and this poses a problem in the configuration of a static peer on the ASA end. So dynamic crypto configuration has to be approached in which all the parameters are not necessarily defined and the missing parameters are later dynamically learned, as the result of IPSec negotiation from the client.

ciscoasa(config)#crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA

Step 4. Bind dynamic map to static crypto map and apply the crypto map and enable IKEv1 on outside interface

Dynamic crypto map cannot be applied on an interface and so bind it to static crypto map. Dynamic crypto sets should be the lowest priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so that the ASA evaluates other crypto maps first. It examines the dynamic crypto map set only when the other (static) map entries do not match.

ciscoasa(config)#crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
ciscoasa(config)#crypto map outside_map interface outside
ciscoasa(config)#crypto ikev1 enable outside

Step 5. Create IP address pool

Create a pool of addresses from which IP addresses are assigned dynamically to the remote ××× Clients. Ignore this step to use existing pool on ASA.

ciscoasa(config)#ip local pool Address-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0

Step 6. Configure group-policy

Identify the group policy as internal which means the attributes is pulled from local database.

ciscoasa(config)#group-policy L2TP-××× internal

Note: L2TP/IPsec connections can be configured with either default group policy (DfltGrpPolicy) or a user-defined group policy. In either case, the group policy must be configured to use the L2TP/IPsec tunneling protocol. configure l2tp-ipsec on the ××× protocol attribute on the default group-policy which will get inherited to the user-defined group policy if the vpn-protocol attribute is not configured on it.

Configure the attributes such as vpn tunnel protocol (in our case, it is l2tp-ipsec), domain name, DNS and WINS server IP address and new user accounts

ciscoasa(config)#group-policy L2TP-××× attributes
ciscoasa(config-group-policy)#dns-server value 8.8.8.8 4.4.4.2
ciscoasa(config-group-policy)#vpn-tunnel-protocol l2tp-ipsec
ciscoasa(config-group-policy)#default-domain value cisco.com

Configure usernames and passwords on the device in addition to using AAA. If the user is an L2TP client that uses Microsoft CHAP version 1 or version 2, and the ASA is configured to authenticate against the local database, mschap keyword must be included. For example, username <username> password <password> mschap.

ciscoasa(config-group-policy)# username test password test mschap

Step 7. Configure tunnel-group

Create a tunnel group with the tunnel-group command, and specify the local address pool name used to allocate the IP address to the client. If authentication method is pre-shared-key, tunnel group name must be DefaultRAGroup as there is no option on the client to specify the tunnel group and so it lands on default tunnel-group only. Bind the group policy to tunnel-group using the default-group-policy command

ciscoasa(config)#tunnel-group DefaultRAGroup general-attributes
ciscoasa(config-tunnel-general)#address-pool Address-pool
ciscoasa(config-tunnel-general)#default-group-policy L2TP-×××
ciscoasa(config-tunnel-general)#exit 

Note: The default connection profile (tunnel group), DefaultRAGroup has to be configured, if pre-shared key based authentication is performed. If certificate-based authentication is performed, a user-defined connection profile can be chosen based on certificate identifiers

Use the tunnel-group ipsec-attributes command to enter the ipsec-attribute configuration mode in order to set the pre-shared key.

ciscoasa(config)# tunnel-group DefaultRAGroup ipsec-attributes
ciscoasa(config-tunnel-ipsec)#  ikev1 pre-shared-key C!sc0@123
ciscoasa(config-tunnel-ipsec)#exit 

Configure the PPP authentication protocol with the authentication type command from tunnel group ppp-attributes mode. Disable CHAP which is enabled by default as it is not supported if AAA server is configured as local database.

ciscoasa(config)#tunnel-group DefaultRAGroup ppp-attributes
ciscoasa(config-ppp)#no authentication chap
ciscoasa(config-ppp)#authentication ms-chap-v2
ciscoasa(config-ppp)#exit 

Step 8. Configure NAT-Exemption

Configure NAT-Exemption so that the clients can access internal resources connected to internal interfaces (In this example, internal resources are connected to inside interface).

ciscoasa(config)#object network L2TP-Pool
ciscoasa(config-network-object)#subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)#exit
ciscoasa(config)# nat (inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup

Complete Sample Configuration

	crypto ikev1 policy 10
	 authentication pre-share
	 encryption 3des
	 hash sha
	 group 2
	 lifetime 86400
	 exit

	crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
	crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport

	crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA

	crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
	crypto map outside_map interface outside
	crypto ikev1 enable outside

	ip local pool Address-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0

	group-policy L2TP-××× internal
	group-policy L2TP-××× attributes
	 vpn-tunnel-protocol l2tp-ipsec
	 default-domain value cisco.com
	 username test password test mschap
	 exit

	tunnel-group DefaultRAGroup general-attributes
	 address-pool Address-pool
	 default-group-policy L2TP-×××
	 exit

	tunnel-group DefaultRAGroup ipsec-attributes
	 ikev1 pre-shared-key C!sc0@123
	 exit

	tunnel-group DefaultRAGroup ppp-attributes
	 no authentication chap
	 authentication ms-chap-v2
	 exit

	object network L2TP-Pool
	 subnet 192.168.1.0 255.255.255.0
	 exit
	nat(inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
	
	
	
	
	参考链接：[请添加链接描述](https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.html#anc12)