ASA Configuration Using CLIhtml
This policy is used to protect control traffic between the peers (that is, it protects pre-shared key and phase 2 negotiations)windows
ciscoasa(config)#crypto ikev1 policy 10 ciscoasa(config-ikev1-policy)#authentication pre-share ciscoasa(config-ikev1-policy)#encryption 3des ciscoasa(config-ikev1-policy)#hash sha ciscoasa(config-ikev1-policy)#group 2 ciscoasa(config-ikev1-policy)#lifetime 86400 ciscoasa(config-ikev1-policy)#exit
It contains IKE Phase 2 policy parameters which are used to protect the data traffic. Since the Windows L2TP/IPsec client uses IPsec transport mode, set the mode to transport. The default is tunnel modeapp
ciscoasa(config)#crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac ciscoasa(config)#crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport
As windows clients get dynamic IP address fron ISP or local DHCP server (example modem), ASA is not aware about the peer IP address and this poses a problem in the configuration of a static peer on the ASA end. So dynamic crypto configuration has to be approached in which all the parameters are not necessarily defined and the missing parameters are later dynamically learned, as the result of IPSec negotiation from the client.dom
ciscoasa(config)#crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA
Dynamic crypto map cannot be applied on an interface and so bind it to static crypto map. Dynamic crypto sets should be the lowest priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so that the ASA evaluates other crypto maps first. It examines the dynamic crypto map set only when the other (static) map entries do not match.ide
ciscoasa(config)#crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map ciscoasa(config)#crypto map outside_map interface outside ciscoasa(config)#crypto ikev1 enable outside
Create a pool of addresses from which IP addresses are assigned dynamically to the remote ××× Clients. Ignore this step to use existing pool on ASA.this
ciscoasa(config)#ip local pool Address-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0
Identify the group policy as internal which means the attributes is pulled from local database.lua
ciscoasa(config)#group-policy L2TP-××× internal
Note: L2TP/IPsec connections can be configured with either default group policy (DfltGrpPolicy) or a user-defined group policy. In either case, the group policy must be configured to use the L2TP/IPsec tunneling protocol. configure l2tp-ipsec on the ××× protocol attribute on the default group-policy which will get inherited to the user-defined group policy if the ***-protocol attribute is not configured on it.3d
Configure the attributes such as *** tunnel protocol (in our case, it is l2tp-ipsec), domain name, DNS and WINS server IP address and new user accountscode
ciscoasa(config)#group-policy L2TP-××× attributes ciscoasa(config-group-policy)#dns-server value 8.8.8.8 4.4.4.2 ciscoasa(config-group-policy)#***-tunnel-protocol l2tp-ipsec ciscoasa(config-group-policy)#default-domain value cisco.com
Configure usernames and passwords on the device in addition to using AAA. If the user is an L2TP client that uses Microsoft CHAP version 1 or version 2, and the ASA is configured to authenticate against the local database, mschap keyword must be included. For example, username <username> password <password> mschap.orm
ciscoasa(config-group-policy)# username test password test mschap
Create a tunnel group with the tunnel-group command, and specify the local address pool name used to allocate the IP address to the client. If authentication method is pre-shared-key, tunnel group name must be DefaultRAGroup as there is no option on the client to specify the tunnel group and so it lands on default tunnel-group only. Bind the group policy to tunnel-group using the default-group-policy command
ciscoasa(config)#tunnel-group DefaultRAGroup general-attributes ciscoasa(config-tunnel-general)#address-pool Address-pool ciscoasa(config-tunnel-general)#default-group-policy L2TP-××× ciscoasa(config-tunnel-general)#exit
Note: The default connection profile (tunnel group), DefaultRAGroup has to be configured, if pre-shared key based authentication is performed. If certificate-based authentication is performed, a user-defined connection profile can be chosen based on certificate identifiers
Use the tunnel-group ipsec-attributes command to enter the ipsec-attribute configuration mode in order to set the pre-shared key.
ciscoasa(config)# tunnel-group DefaultRAGroup ipsec-attributes ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key C!sc0@123 ciscoasa(config-tunnel-ipsec)#exit
Configure the PPP authentication protocol with the authentication type command from tunnel group ppp-attributes mode. Disable CHAP which is enabled by default as it is not supported if AAA server is configured as local database.
ciscoasa(config)#tunnel-group DefaultRAGroup ppp-attributes ciscoasa(config-ppp)#no authentication chap ciscoasa(config-ppp)#authentication ms-chap-v2 ciscoasa(config-ppp)#exit
Configure NAT-Exemption so that the clients can access internal resources connected to internal interfaces (In this example, internal resources are connected to inside interface).
ciscoasa(config)#object network L2TP-Pool ciscoasa(config-network-object)#subnet 192.168.1.0 255.255.255.0 ciscoasa(config-network-object)#exit ciscoasa(config)# nat (inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
crypto ikev1 policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 exit crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto ikev1 enable outside ip local pool Address-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0 group-policy L2TP-××× internal group-policy L2TP-××× attributes ***-tunnel-protocol l2tp-ipsec default-domain value cisco.com username test password test mschap exit tunnel-group DefaultRAGroup general-attributes address-pool Address-pool default-group-policy L2TP-××× exit tunnel-group DefaultRAGroup ipsec-attributes ikev1 pre-shared-key C!sc0@123 exit tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 exit object network L2TP-Pool subnet 192.168.1.0 255.255.255.0 exit nat(inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup 參考連接:[請添加連接描述](https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.html#anc12)