Layer 2 tunneling protocol is one of the best and high encrypted protocol to provide more security to your connection in addition to open some blocked services like webpages or an application in the public network “Internet”.
How can I utilize from “configure L2TP IPSec Cisco router?
Configure L2TP IPSec Cisco router enables remote users accessing a VPN over a public IP network without need to an intermediate gateway or a dedicated line, you can access anonymously from anywhere with POTS. There is an amazing benefit that the only requirement from the client so that he can access via VPN is the use of Windows 2000 with Microsoft Dial-Up Networking (DUN).
You do not have any other additional client software to be setup, such as Cisco VPN client software, is required.
To configure L2TP IPSec Cisco router, first thing you must do is configuring IPSec transport mode to enable IPSec with L2TP. Then configure L2TP with a virtual private dial-up network, this is defined by the “Two Level Connection”.
How do I configure L2TP IPsec cisco router?
First, to make the security appliance to configure L2TP IPSec Cisco router, apply the following steps:
Important Note:
If either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed, the security appliance will not allow you to configure L2TP IPSec Cisco router with Windows 2000. To get rid of this problem you can disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5. You can do it from the Services panel in Windows 2000 (click Start, Programs, Administrative Tools, and then choose Services). Then restart the IPSec Policy Agent Service from the Services panel, and reboot the machine.
Make IPSec to use transport mode rather than tunnel mode with the mode keyword of the “crypto ipsec transform-set” command:
hostname(config)# crypto ipsec transform-set trans_name mode transport
This step is optional, set the local address pool that will be used to allocate the IP address to the client using the address-pool command in tunnel-group general-attributes mode:
hostname(config)# tunnel-group name general-attributes
hostname(config-tunnel-general)# address-pool pool_name
Configure L2TP IPSec Cisco router as a valid VPN tunneling protocol for a group or user with the vpn-tunnel-protocol l2tp-ipsec command:
For a group:
Enter group-policy attributes mode:
hostname(config)# group-policy group_policy_name attributes
hostname(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec
For a user:
Enter username attributes mode:
hostname(config)# username user_name attributes
hostname(config-username)# vpn-tunnel-protocol l2tp-ipsec
Create a tunnel group with the tunnel-group command, and link between the name of the group policy and the tunnel group with the default-group-policy command from tunnel group general-attributes mode:
hostname(config)# tunnel-group name type ipsec-ra
hostname(config)# tunnel-group name general-attributes
hostname(config-tunnel-general)# default-group-policy group_policy_name
Configure the PPP authentication protocol using the authentication type command from tunnel group ppp-attributes mode.
hostname(config)# tunnel-group name ppp-attributes
hostname(config-ppp)# authentication pap
In the following table you can see the types of PPP authentication, and their characteristics.
| Keyword | Authentication Type | Characteristics |
| chap | CHAP | In response to the server challenge, the client returns the encrypted [challenge plus password] with a cleartext username. Although this protocol is more secure than the PAP, but it does not encrypt data. |
| eap-proxy | EAP | Enables EAP which permits the security appliance to proxy the PPP authentication process to an external RADIUS authentication server. |
| ms-chap-v1 ms-chap-v2 | Microsoft CHAP, Version 1Microsoft CHAP, Version 2 | Similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than cleartext passwords as in CHAP. This protocol also generates a key for data encryption by MPPE. |
| pap | PAP | Passes cleartext username and password during authentication and is not secure. |
Set a method to authenticate users try to configure L2TP IPSec Cisco router connections. Use the authentication-server-group command from tunnel-group general-attributes mode to configure the security appliance to use an authentication server or use its own local database.
Using an Authentication Server:
To use an authentication server, use the authentication server group keyword:
hostname(config)# tunnel-group name general-attributes
hostname(config-tunnel-general)# authentication-server-group auth_server_group
Using the Local Database:
To use the local database, enter the LOCAL keyword.
hostname(config)# tunnel-group name general-attributes
hostname(config-tunnel-general)# authentication-server-group LOCAL
Important Note:
The security appliance only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. So, if a remote user belongs to a tunnel group configured with the authentication eap-proxy or authentication chap commands, and the security appliance is configured to use the local database, that user will not be able to connect.
- Create a user in the local database with the username command from global configuration mode.
If the user is an L2TP client using Microsoft CHAP, Version 1 or Version 2, and the security appliance is configured to authenticate against the local database, you must include the mschap keyword.
For Example:
hostname(config)# username t_wmith password eu5d93h mschap
- Configure the interval (in seconds) between hello messages using the l2tp tunnel hello command in global configuration mode:
hostname(config)# l2tp tunnel hello seconds
- “Optional Step” If you expect multiple L2TP clients behind a NAT device to try to configure L2TP IPSec Cisco router connections to the security appliance, you must enable NAT traversal so that ESP packets can passthrough one or more devices.
How to enable NAT Traversal globally:
If you want to enable NAT traversal globally; enable ISAKMP “you can enable it with the crypto isakmp enable command” in global configuration mode and then use the crypto isakmp nat-traversal command.
Tunnel Group Switching and benefits to configure L2TP IPSec Cisco router:
Tunnel Group Switching allows the security appliance to associate different users to configure L2TP IPSec Cisco router connections with different tunnel groups. Each tunnel group has its own ASTART server group and IP address pools, users can be authenticated through methods specific to their tunnel group.
This feature allows you to send a username and a group name in the format username@group_name instead of sending only a username, where “@” represents a delimiter that you can configure, and the group name is the name of a tunnel group that has been configured on the security appliance.
To enable Tunnel Group Switching, you must enable Strip Group processing using the strip-group command from tunnel-group general-attributes mode. So the security appliance selects the tunnel group for user connections by obtaining the group name from the username presented by the VPN client.
The security appliance then sends only the user part of the username for authorization and authentication. But on the other hand “is disabled”; the security appliance sends the entire username, including the realm. In the following example, Strip Group processing is enabled for the tunnel-group telecommuters:
asa1(config)# tunnel-group telecommuters general-attributes
asa1(config-tunnel-general)# strip-group
Now, you know how to configure L2TP IPSec Cisco router successfully.
