It was a day full of IP wrangling, the day I got this to work. A sine curve kind of day full of frustrations and eventually joy. Perhaps this will save someone else a bit of agony ...
Here's a config that works on ASA software version 8.4(1) with the mind twisting new NAT syntax. The config is for IPSec clients which are Linux (using vpnc - tip of the keyboard to AI for that info), Mac OSX, and Cisco VPN Client, and also for L2TP/IPSec. Confirmed working on Windows 7, Vista, and XP Pro.
Identifying info like IP addresses, valid domain names, and the like have been scrubbed to create anonymity.
Caveat emptor, when using ADSM rather than the command line, it has a way of mucking with VPN tunnel configurations. Consider yourself warned!
Configuration required for IPSec VPN, used by Cisco VPN Client and Mac OSX, iPad, and iPhone colored orange.
Configuration required for L2TP/IPSec VPN, used by Windows XP, Vista, and 7 native clients, colored aqua.
Configuration required by both IPSec and L2TP/IPSec is in white.
…
interface Ethernet0/2
nameif Outside-ISP1
security-level 0
ip address X.X.15.2 255.255.255.248
!
interface Ethernet0/3
nameif Outside-ISP2
security-level 0
ip address Y.Y.18.86 255.255.255.248
…
object network NAT_VPN
subnet 10.1.1.0 255.255.255.0
…
access-list VPN_ROUTES standard permit 10.1.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.2.0.0 255.255.0.0
access-list VPN_ROUTES standard permit 10.4.0.0 255.255.0.0
…
! separate pools are not needed, but it's easier to identify, you can definitely create only one
ip local pool VPN_POOL 10.1.1.11-10.1.1.40 mask 255.255.255.0
ip local pool L2TP_POOL 10.1.1.41-10.1.1.150 mask 255.255.255.0
…
! this next line is needed because the Windows client doesn't obey the split tunneling nicely, if you have multiple inside subnets, but this does mean if the VPN is connected, all traffic will go through the ASA and back out.
nat (Outside-ISP1,Outside-ISP1) source dynamic NAT_VPN interface
nat (Inside,Outside-ISP1) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP1) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
nat (Inside,Outside-ISP2) source static CORP_SUBNETS CORP_SUBNETS destination static NAT_VPN NAT_VPN
nat (Inside-Eng,Outside-ISP2) source static ENG_SUBNETS ENG_SUBNETS destination static NAT_VPN NAT_VPN
…
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA_trans mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! For IPsec only, do NOT specify “mode transport”
crypto dynamic-map DynMap 1 set ikev1 transform-set ESP-3DES-SHA_trans ESP-3DES-SHA
crypto map MapVPN 100 ipsec-isakmp dynamic DynMap
crypto map MapVPN interface Outside-ISP1
crypto map MapVPN interface Outside-ISP2
crypto isakmp nat-traversal 60
crypto ikev1 enable Outside-ISP1
crypto ikev1 enable Outside-ISP2
! can probably delete policy 10 or 65535, test and report back
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
…
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy VPNPolicy internal
group-policy VPNPolicy attributes
dns-server value 10.2.1.32
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
group-policy VPNPolicyIpsec internal
group-policy VPNPolicyIpsec attributes
dns-server value 10.2.1.32 Public_DNS_Server_IP
vpn-idle-timeout 120
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ROUTES
default-domain value nonamedomain.com
…
! when creating new users, specify the encryption type as mschap, not as nt-encrypted so that when the account is created, the password will be converted to unicode and hashed in MD4.
username user1 password **** nt-encrypted
username user2 password **** nt-encrypted
…
! L2TP for Windows uses the DefaultRAGroup, it won't use a specific tunnel group
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP_POOL
authorization-server-group LOCAL
default-group-policy VPNPolicy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group VPNGroupIpsec type remote-access
tunnel-group VPNGroupIpsec general-attributes
address-pool VPN_POOL
default-group-policy VPNPolicyIpsec
tunnel-group VPNGroupIpsec ipsec-attributes
ikev1 pre-shared-key ****
isakmp keepalive threshold 40 retry 5
If you want specifics on the client side setup, let me know.
7 comments:
Thank you so much for the config! I'm new to Cisco ASA and wouldn't make it without your post! Because of your sharing I can walk out of office worry free. Thank you! :)
-Andrew
There is a way for split tunneling to work for native Windows L2TP/IPSec client. You need intercept-dhcp command under group-policy you defined for L2TP (http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1886194) and also you will need to clear checkbox "Use default gateway on remote network" under tcp/ip properties of L2TP connection. Working 100%! This way you can choose split or full tunnel from the client itself, 'cause it depends if you check or uncheck "Use default gateway...".
I'm glad I came across this post, as this proves that using the W7 client with an ASA is possible. But I can't get it to work.
I do have a few questions:
1 - Is it possible to have this config work with a RADIUS server? I've used "eap-proxy" as the authentication strategy in the tunnel-group configuration.
2 - What is the use of the pre-shared key if I have nowhere to plug it into the native client? Have I missed something?
@yanis
1- sorry I haven't tried to get radius auth working with an asa. I did get radius auth working with a cisco firewall once, so it's likely possible on the ASA. I'll search for my notes and post back here.
2 - When I did this, I entered the IpSec PSK in the VPN Properties, Security tab, Advanced Settings button, select "use preshared key for authentication" --- if you're using radius this may not be necessary though.
I like to keep things simple, and set up the vpn without auth to radius, AD, etc first, make sure that works, then add radius auth back.
Good luck!
Great post. Simple and straightforward.
I wasted almost a day figuring out this specific transform-set "esp-3des esp-sha-hmac" which windows 7 only support. Damned microsoft. All other OSs worked just fine with aes-256.
Great post. Simple and straightforward.
I wasted almost a day figuring out this specific transform-set "esp-3des esp-sha-hmac" which windows 7 only support. Damned microsoft. All other OSs worked just fine with aes-256.
Btw, I managed to configure Radius auth only using PAP. Should be Radius configuration though, it doesn't understand ASA's ms-chapv2 requests.
Maybe aes works if you enable fips-60?
/Kim
Post a Comment