Cisco Cisco ASA for Nexus 1000V Series Switch Guía Para Resolver Problemas
Furthermore, Android does not support PAP and, because Lightweight Directory Access Protocol (LDAP)
does not support MS−CHAP, LDAP is not a viable authentication mechanism. The only workaround is to use
RADIUS. See Cisco Bug ID CSCtw58945, "L2TP over IPSec connections fail with ldap authorization and
mschapv2," for further details on issues with MS−CHAP and LDAP.
does not support MS−CHAP, LDAP is not a viable authentication mechanism. The only workaround is to use
RADIUS. See Cisco Bug ID CSCtw58945, "L2TP over IPSec connections fail with ldap authorization and
mschapv2," for further details on issues with MS−CHAP and LDAP.
This procedure describes how to configure the L2TP/IPSec connection on the ASA:
Define a local address pool or use a dhcp−server for the adaptive security appliance in order to
allocate IP addresses to the clients for the group policy.
allocate IP addresses to the clients for the group policy.
1.
Create an internal group−policy.
Define the tunnel protocol to be l2tp−ipsec.
1.
Configure a domain name server (DNS) to be used by the clients.
2.
2.
Create a new tunnel group or modify the attributes of the existing DefaultRAGroup. (A new tunnel
group can be used if the IPSec identifier is set as group−name on the phone; see step 10 for the phone
configuration.)
group can be used if the IPSec identifier is set as group−name on the phone; see step 10 for the phone
configuration.)
3.
Define the general attributes of the tunnel group that are used.
Map the defined group policy to this tunnel group.
1.
Map the defined address pool to be used by this tunnel group.
2.
Modify the authentication−server group if you want to use something other than LOCAL.
3.
4.
Define the pre−shared key under the IPSec attributes of the tunnel group to be used.
5.
Modify the PPP attributes of the tunnel group that are used so that only chap, ms−chap−v1 and
ms−chap−v2 are used.
ms−chap−v2 are used.
6.
Create a transform set with a specific encapsulating security payload (ESP) encryption type and
authentication type.
authentication type.
7.
Instruct IPSec to use transport mode rather than tunnel mode.
8.
Define an ISAKMP/IKEv1 policy using 3DES encryption with SHA1 hash method.
9.
Create a dynamic crypto map, and map it to a crypto map.
10.
Apply the crypto map to an interface.
11.
Enable ISAKMP on that interface.
12.
Configuration File Commands for ASA Compatibility
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the
commands used in this section.
commands used in this section.
This example shows the configuration file commands that ensure ASA compatibility with a native VPN client
on any operating system.
on any operating system.
ASA 8.2.5 or Later Configuration Example
Username <name> password <passwd> mschap
ip local pool l2tp−ipsec_address 192.168.1.1−192.168.1.10
group−policy l2tp−ipsec_policy internal
group−policy l2tp−ipsec_policy attributes
dns−server value <dns_server>
vpn−tunnel−protocol l2tp−ipsec
tunnel−group DefaultRAGroup general−attributes
default−group−policy l2tp−ipsec_policy
address−pool l2tp−ipsec_address
tunnel−group DefaultRAGroup ipsec−attributes
pre−shared−key *
tunnel−group DefaultRAGroup ppp−attributes
no authentication pap
authentication chap
authentication ms−chap−v1
authentication ms−chap−v2
crypto ipsec transform−set trans esp−3des esp−sha−hmac