Cisco ASA 5505 User Manual

65-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 65 Configuring L2TP over IPsec

Configuring L2TP over IPsec

•

IKEv1 phase 1—3DES encryption with SHA1 hash method.

•

IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.

•

PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).

•

Pre-shared key (only for iPhone).

Detailed CLI Configuration Steps

Command

Purpose

Step 1

crypto ipsec transform-set

transform_name

ESP_Encryption_Type ESP_Authentication_Type

Example:

hostname(config)# crypto ipsec transform-set

my-transform-set esp-des esp-sha-hmac

Creates a transform set with a specific ESP
encryption type and authentication type.

Step 2

crypto ipsec transform-set

trans_name mode transport

Example:

hostname(config)# crypto ipsec transform-set

my-transform-set mode transport

Instructs IPsec to use transport mode rather
than tunnel mode.

Step 3

vpn-tunnel-protocol

tunneling_protocol

Example:

hostname(config)# group-policy DfltGrpPolicy attributes

hostname(config-group-policy)# vpn-tunnel-protocol

l2tp-ipsec

Specifies L2TP/IPsec as the vpn tunneling
protocol.

Step 4

dns value

[none | IP_primary [IP_secondary]

Example:

hostname(config)# group-policy DfltGrpPolicy attributes

hostname(config-group-policy)# dns value 209.165.201.1

209.165.201.2

(Optional) Instructs the adaptive security
appliance to send DNS server IP addresses
to the client for the group policy.

Step 5

wins-server

value [none | IP_primary [IP_secondary]]

Example:

hostname(config)# group-policy DfltGrpPolicy attributes

hostname (config-group-policy)# wins-server value

209.165.201.3 209.165.201.4

(Optional) Instructs the adaptive security
appliance to send WINS server IP addresses
to the client for the group policy.

Step 6

tunnel-group

name type remote-access

Example:

hostname(config)# tunnel-group sales-tunnel type

remote-access

Creates a connection profile (tunnel group).