Cisco Cisco ASA for Nexus 1000V Series Switch Manuale Tecnico
Introduction
This document describes how to configure Layer 2 Tunneling Protocol (L2TP) over IPsec using pre-shared key between Cisco Adaptive Security
Appliance (ASA) and Windows 8 native client.
Appliance (ASA) and Windows 8 native client.
L2TP over Internet Protocol security (IPsec) provides the capability to deploy and administer an L2TP Virtual Private Network (VPN) solution
alongside the IPsec VPN and firewall services in a single platform.
alongside the IPsec VPN and firewall services in a single platform.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
IP connectivity from the client machine to the ASA. To test connectivity, try to ping the IP address of the ASA from client endpoint and
vice versa
Ensure that UDP port 500 and 4500 and Encapsulating Security Payload (ESP) protocol is not blocked anywhere along the path of the
connection
vice versa
Ensure that UDP port 500 and 4500 and Encapsulating Security Payload (ESP) protocol is not blocked anywhere along the path of the
connection
Restrictions
L2TP over IPsec supports only IKEv1. IKEv2 is not supported.
L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in such operating systems as Windows,
MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported, native L2TP itself is not supported on ASA.
The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less
than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime.
The ASA only supports the Point-to-Point Protocol (PPP) authentications Password Authentication Protocol (PAP) and Microsoft
Challenge-Handshake Authentication Protocol (CHAP), Versions 1 and 2, on the local database. Extensible Authentication Protocol (EAP)
and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the
authentication eap-proxy or authentication chap commands, and the ASA is configured to use the local database, that user cannot
connect.
L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in such operating systems as Windows,
MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported, native L2TP itself is not supported on ASA.
The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less
than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime.
The ASA only supports the Point-to-Point Protocol (PPP) authentications Password Authentication Protocol (PAP) and Microsoft
Challenge-Handshake Authentication Protocol (CHAP), Versions 1 and 2, on the local database. Extensible Authentication Protocol (EAP)
and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the
authentication eap-proxy or authentication chap commands, and the ASA is configured to use the local database, that user cannot
connect.
Supported PPP Authentication Types
L2TP over IPsec connections on the ASA support only the PPP authentication types shown in Table
AAA Server Support and PPP Authentication Types
AAA Server Type
Supported PPP Authentication Types
LOCAL
PAP, MSCHAPv1, MSCHAPv2
RADIUS
PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy
TACACS+
PAP, CHAP, MSCHAPv1
LDAP
PAP
NT
PAP
Kerberos
PAP
SDI
SDI
PPP Authentication Type Characteristics
Keyword Authentication Type
Characteristics
chap
CHAP
In response to the server challenge, the client returns the encrypted [challenge plus password] with a clear text
username. This protocol is more secure than the PAP, but it does not encrypt data.
username. This protocol is more secure than the PAP, but it does not encrypt data.
eap-proxy
EAP
Enables EAP which permits the security appliance to proxy the PPP authentication process to an external
RADIUS authentication server.
RADIUS authentication server.
ms-chap-
v1
v1
ms-chap-
v2
v2
Microsoft CHAP,
Version 1
Microsoft CHAP,
Version, 2
Similar to CHAP but more secure in that the server stores and compares only encrypted passwords rather than
clear text passwords as in CHAP. This protocol also generates a key for data encryption by MPPE.
clear text passwords as in CHAP. This protocol also generates a key for data encryption by MPPE.
pap
PAP
Passes clear text username and password during authentication and is not secure.
Components Used
The information in this document is based on these software and hardware versions: