Техническая Инструкция для Cisco Cisco ASA 5505 Adaptive Security Appliance
L2TP over IPsec supports only IKEv1. IKEv2 is not supported.
●
L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated
in such operating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with
IPsec is supported, native L2TP itself is not supported on ASA.
in such operating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with
IPsec is supported, native L2TP itself is not supported on ASA.
●
The minimum IPsec security association lifetime supported by the Windows client is 300
seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores
it and replaces it with a 300 second lifetime.
seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores
it and replaces it with a 300 second lifetime.
●
The ASA only supports the Point-to-Point Protocol (PPP) authentications Password
Authentication Protocol (PAP) and Microsoft Challenge-Handshake Authentication Protocol
(CHAP), Versions 1 and 2, on the local database. Extensible Authentication Protocol (EAP)
and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs
to a tunnel group configured with the authentication eap-proxy or authentication chap
commands, and the ASA is configured to use the local database, that user cannot connect.
Authentication Protocol (PAP) and Microsoft Challenge-Handshake Authentication Protocol
(CHAP), Versions 1 and 2, on the local database. Extensible Authentication Protocol (EAP)
and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs
to a tunnel group configured with the authentication eap-proxy or authentication chap
commands, and the ASA is configured to use the local database, that user cannot connect.
●
Supported PPP Authentication Types
L2TP over IPsec connections on the ASA support only the PPP authentication types shown in
Table
Table
AAA Server Support and PPP Authentication Types
AAA Server Type
AAA Server Type
Supported PPP Authentication Types
LOCAL
PAP, MSCHAPv1, MSCHAPv2
RADIUS
PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy
TACACS+
PAP, CHAP, MSCHAPv1
LDAP
PAP
NT
PAP
Kerberos
PAP
SDI
SDI
PPP Authentication Type Characteristics
Keyword
Authentication
Type
Type
Characteristics
chap
CHAP
In response to the server challenge, the client returns the encrypted
[challenge plus password] with a clear text username. This protocol is more
secure than the PAP, but it does not encrypt data.
[challenge plus password] with a clear text username. This protocol is more
secure than the PAP, but it does not encrypt data.
eap-proxy
EAP
Enables EAP which permits the security appliance to proxy the PPP
authentication process to an external RADIUS authentication server.
authentication process to an external RADIUS authentication server.
ms-chap-v1
ms-chap-v2
ms-chap-v2
Microsoft
CHAP, Version
1
Microsoft
CHAP, Version,
2
CHAP, Version
1
Microsoft
CHAP, Version,
2
Similar to CHAP but more secure in that the server stores and compares
only encrypted passwords rather than clear text passwords as in CHAP.
This protocol also generates a key for data encryption by MPPE.
only encrypted passwords rather than clear text passwords as in CHAP.
This protocol also generates a key for data encryption by MPPE.
pap
PAP
Passes clear text username and password during authentication and is not
secure.
secure.
Components Used
The information in this document is based on these software and hardware versions:
Cisco 5515 Series ASA that runs the software version 9.4(1)
●