{"id":659,"date":"2016-02-24T21:26:13","date_gmt":"2016-02-24T20:26:13","guid":{"rendered":""},"modified":"2018-10-31T22:14:35","modified_gmt":"2018-10-31T21:14:35","slug":"vpn-connecting-android-clients-asa-using-clientless-l2tp-over-ipsec","status":"publish","type":"post","link":"https:\/\/nil.uniza.sk\/en\/vpn-connecting-android-clients-asa-using-clientless-l2tp-over-ipsec\/","title":{"rendered":"VPN &#8211; Connecting Android clients to ASA using clientless L2TP over IPSec"},"content":{"rendered":"<p>\n\tIn this article I&#39;m just testing guides available at the&nbsp;<a href=\"https:\/\/supportforums.cisco.com\/document\/69201\/asa-configuring-native-l2tp-ipsec-droid-client\">cisco support forum<\/a>&nbsp;(the same guide at the <a href=\"http:\/\/www.cisco.com\/image\/gif\/paws\/113572\/1135272-technote-asa-l2tp-00.pdf\">cisco site<\/a>) or very good guide at&nbsp;<a href=\"https:\/\/popravak.wordpress.com\/2013\/03\/06\/l2tpipsec-with-windows-8-and-cisco-asa-8-x9-x\/\" rel=\"bookmark\">L2TP\/IPSec with Windows 8\/7 and Cisco ASA&nbsp;8.x\/9.x<\/a>, as I need a secure access to my academys network. For years I had used native Cisco vpn client (not longer supported), and then on win 10 the shresoft vpn client. &nbsp;Both of them are not available for android devices (tablets, smart phones). Ido not use Anyconnect, as it is licensed. I&#39;m expecting to run previously defined IPsec client based VPN together with clientless L2TP over IPSec VPN.<\/p>\n<h2>\n\tPrerequisities:<\/h2>\n<ul>\n<li>\n\t\tan L2TP client (built into an android device or windows)<\/li>\n<li>\n\t\tASA firewal with system image of the version 8.2.5 or later. Check the version with :<\/li>\n<\/ul>\n<pre>\r\nkis-asa-5515X# sh version | in image\r\nSystem image file is &quot;disk0:\/asa861-2-smp-k8.bin&quot;<\/pre>\n<div>\n\tThe L2TP tunneling is supported for IKEv1 only. Both, the preshared key and certificate based authentication may be used. ASA supports IPSec tunnel, as well as transport mode, however respecting universality, as windows supports only the transport mode, the usage of transport mode is recommended.&nbsp;<\/div>\n<div>\n\t&nbsp;<\/div>\n<div>\n\tTo configure a L2TP\/IPSec connection ended on ASA, and to allow native VPN clients make a VPN connection to the ASA&nbsp;we need to configure:<\/div>\n<div>\n<ul>\n<li>\n\t\t\tAAA and an adress pool<\/li>\n<li>\n\t\t\tIKEv1 phase 1 &#8211; using 3DES encryption with SHA1 hash method and pre shared key<\/li>\n<li>\n\t\t\tIPsec phase 2 &#8211; using 3DES or AES encryption with MD5 or SHA hash method.<\/li>\n<li>\n\t\t\tGroup policy, tunnel group and PPP Authentication (only PAP, MS-CHAPv1, or MSCHAPv2 (preferred) are supported).<\/li>\n<\/ul>\n<p>\n\t\t&nbsp;<\/p>\n<h2>\n\t\tConfiguration<\/h2>\n<h3>\n\t\t1. AAA and an IP address pool<\/h3>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t1. To allocate IP addresses to the L2TP clients we may use a predefined addess pool (my case), or define a new local address pool, or use a dhcp-server for the adaptive security appliance.<\/p>\n<p>\n\t\tSo, in my case there is an existing one:<\/p>\n<pre>\r\nkis-asa-5515X# sh run | in local pool\r\nip local pool KIS-VPN-POOL 10.0.0.15-10.0.0.254 mask 255.255.255.0<\/pre>\n<div>\n\t\t&nbsp;<\/div>\n<div>\n\t\tif not, just create one. To do that apply a command, where we specify pool name, address range and mask:<\/div>\n<pre>\r\nip local pool pool_name starting_address-ending_address mask subnet_mask<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\twhose example may look like:<\/p>\n<pre>\r\nhostname(config)# ip local pool <span style=\"color:#b22222;\">KIS_L2TP_POOL<\/span> 10.0.255.15-10.0.255.254 mask 255.255.255.0<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t2. Create a local account (for example for testing puposes, then another AAA mechanims may be configured)<\/p>\n<pre>\r\n! &nbsp;username NAME password PASS msachp \r\nconf t\r\nusername skuska password **** msachp<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t<strong>NOTE:&nbsp;<\/strong>the command has to end with the mschap attribute, using just username with password does not work!<\/p>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t<strong>Check<\/strong>:<\/p>\n<pre>\r\nkis-asa-5515X# sh run | in skuska\r\nusername skuska password alNPeMUMkMOIVnhVVPUvlQ== <span style=\"background-color:#ffff00;\">nt-encrypted<\/span><\/pre>\n<h3>\n\t\t&nbsp;<\/h3>\n<h3>\n\t\t2. Configuring IKEv1<\/h3>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t3. define IKEv1 using preshared key, 3des (tested) or aes (not tested) encryption, hashing mechanism, diffie-hellman group and parameter lifetime:<\/p>\n<pre>\r\ncrypto ikev1 policy 10\r\n            authentication pre-share\r\n            encryption 3des\r\n            hash sha\r\n            group 2\r\n            lifetime 86400<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t4. enable ISAKMP (IKEv1) on the ASA outside interface<\/p>\n<pre>\r\ncrypto ikev1 enable outside<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t<strong>Check<\/strong>:<\/p>\n<pre>\r\nkis-asa-5515X# <strong>sh run crypto ikev1<\/strong>\r\ncrypto ikev1 enable outside\r\n\r\n! my client based IPsec\r\ncrypto ikev1 policy 1\r\n authentication pre-share\r\n encryption aes-256\r\n hash sha\r\n group 2\r\n lifetime 3600\r\n\r\n<em><strong>! work for L2TP\r\ncrypto ikev1 policy 10\r\n authentication pre-share\r\n encryption 3des\r\n hash sha\r\n group 2\r\n lifetime 86400<\/strong><\/em><\/pre>\n<div>\n\t\t&nbsp;<\/div>\n<h3>\n\t\t3. Configuring IPsec&nbsp;<\/h3>\n<p>\n\t\t5. Next we create a transform set with specific ESP encryption and hashing type<\/p>\n<pre>\r\n! crypto ipsec ikev1 transform-set NAME esp-3des esp-sha-hmac\r\n! \r\n! in my case\r\n\r\ncrypto ipsec ikev1 transform-set <span style=\"color: rgb(0, 128, 0);\">ESP-3DES-SHA-TRANS <\/span>esp-3des esp-sha-hmac<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\tand we instruct IPsec to use transport mode (required) rather than tunnel mode.<\/p>\n<pre>\r\n! crypto ipsec ikev1 transform-set NAME mode transport\r\n!\r\n! in my case\r\n\r\ncrypto ipsec ikev1 transform-set <span style=\"color: rgb(0, 128, 0);\">ESP-3DES-SHA-TRANS<\/span> mode <span style=\"color:#ff8c00;\"><strong>transport<\/strong><\/span><\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t6. alternatively we may create several transform sets, for example&nbsp;<\/p>\n<pre>\r\ncrypto ipsec transform-set <span style=\"color:#006400;\">ESP-AES-SHA-TRANS<\/span> esp-aes esp-sha-hmac \r\ncrypto ipsec transform-set <span style=\"color:#006400;\">ESP-AES-SHA-TRANS <\/span>mode transport<\/pre>\n<p>\n\t\t<strong>Check:<\/strong><\/p>\n<pre>\r\nkis-asa-5515X# <strong>sh run crypto ipsec<\/strong>\r\ncrypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac\r\n<strong>crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac\r\ncrypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS<strong style=\"font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;\"> <\/strong>mode transport<\/strong><\/pre>\n<pre>\r\n<strong>crypto ipsec ikev1 transform-set ESP-AES-SHA-TRANS esp-aes esp-sha-hmac\r\ncrypto ipsec ikev1 transform-set ESP-AES-SHA-TRANS mode transport<\/strong><\/pre>\n<div>\n<p>\n\t\t\t&nbsp;<\/p>\n<p>\n\t\t\t7. Now we will create a a dynamic crypto map, which is using specified transfom sets (max 7) and then we map it to an ordinary crypto map. This feature is not documented within of the&nbsp;<a href=\"http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/security\/asa\/asa84\/configuration\/guide\/asa_84_cli_config\/vpn_l2tp_ipsec.html#wp1043201\">Configuring L2TP over IPSec<\/a>&nbsp;guide.<\/p>\n<p>\n\t\t\t&nbsp;<\/p>\n<p>\n\t\t\tSo, create a dynamic map with specified name using defined transform sets:<\/p>\n<pre>\r\n! crypto dynamic-map NAME 10 set ikev1 transform-set YOUR-TRANSFORM-SET1 TRANSFORM-SET2 ...\r\n! \r\n! in my case\r\n\r\ncrypto dynamic-map <span style=\"color: rgb(255, 0, 0);\">L2TP-VPN-DYN-MAP<\/span> 10 set ikev1 transform-set <span style=\"color:#008000;\">ESP-3DES-SHA-TRANS <\/span>ESP-AES-SHA-TRANS<\/pre>\n<p>\n\t\t\t&nbsp;<\/p>\n<p>\n\t\t\tand attach the dynamic map to a crypto map<\/p>\n<pre>\r\n! crypto map vpn 20 ipsec-isakmp dynamic dyno\r\n!\r\n! in my case\r\n\r\ncrypto map <span style=\"background-color: rgb(255, 255, 0);\">L2TP-VPN<\/span> 10 ipsec-isakmp dynamic <span style=\"color: rgb(255, 0, 0);\">L2TP-VPN-DYN-MAP<\/span><\/pre>\n<p>\n\t\t\t&nbsp;<\/p>\n<p>\n\t\t\t<strong>Check<\/strong><\/p>\n<pre>\r\nkis-asa-5515X# <strong>sh run crypto dynamic-map<\/strong>\r\ncrypto dynamic-map L2TP-VPN-DYN-MAP 10 set ikev1 transform-set ESP-3DES-SHA-TRANS ESP-AES-SHA-TRANS<\/pre>\n<p>\n\t\t\t&nbsp;<\/p>\n<p>\n\t\t\t8. apply the crypto map on the outside interface<\/p>\n<pre>\r\ncrypto map <span style=\"background-color: rgb(255, 255, 0);\">L2TP-VPN<\/span> interface outside<\/pre>\n<p>\n\t\t\t<strong>Check:<\/strong><\/p>\n<pre>\r\nkis-asa-5515X# <strong>sh run crypto map<\/strong>\r\ncrypto map L2TP-VPN 10 ipsec-isakmp dynamic L2TP-VPN-DYN-MAP\r\ncrypto map L2TP-VPN interface outside<\/pre>\n<p>\n\t\t\t&nbsp;<\/p>\n<\/p><\/div>\n<hr \/>\n<p>\n\t\t<strong>NOTE: <\/strong>If your ASA is&nbsp;already&nbsp;using some crypto map (for legacy IPsecVPN for example), you can not apply more as one crypto map per interface (commands overwrite each other).<\/p>\n<p>\n\t\tTherefore you need to modify an existing dynamic crypto map and extend used transform sets with a new one, but used for the L2TP tunnel. We can not just add a new crypto map line to an existing dynamic crypto map.<\/p>\n<p>\n\t\tFor example I already had configured an ordinary IPsec crypto map<\/p>\n<pre>\r\ncrypto map KIS-VPN-MAP 1 ipsec-isakmp dynamic KIS-VPN-DYN-MAP<\/pre>\n<p>\n\t\twhich is linked with already defined IPSec dynamic crypto map<\/p>\n<pre>\r\ncrypto dynamic-map KIS-VPN-DYN-MAP 1 set ikev1 transform-set ESP-AES-256-SHA<\/pre>\n<div>\n\t\t&nbsp;<\/div>\n<p>\n\t\tadding just another line<\/p>\n<pre>\r\ncrypto dynamic-map KIS-VPN-DYN-MAP <span style=\"background-color:#ffff00;\">10<\/span> set ikev1 transform-set ESP-3DES-SHA-TRANS ESP-AES-SHA-TRANS\r\n<\/pre>\n<p>\n\t\t<strong>does not work!!! <\/strong>The VPN establishment process ends with&nbsp;QM FSM error and Phase 2 mismatch error (see thsoot section at the bottom).<\/p>\n<p>\n\t\tWe need to extend the DYNAMIC crypto map configuration with all supported transform sets:<\/p>\n<p>\n\t\tPrevious:<\/p>\n<pre>\r\ncrypto dynamic-map KIS-VPN-DYN-MAP 1 set ikev1 transform-set ESP-AES-256-SHA<\/pre>\n<p>\n\t\tTO the same but extended:<\/p>\n<pre>\r\ncrypto dynamic-map KIS-VPN-DYN-MAP 1 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-SHA-TRANS ESP-AES-SHA-TRANS<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<h3>\n\t\t4. Configuring group policy and tunnel groups (profiles)<\/h3>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t9. Create an internal group-policy (or we may use a &ldquo;DfltGrpPolicy&rdquo; default policy)<\/p>\n<pre>\r\n! command:\r\n! group-policy NAME internal\r\n!\r\n! which for my case is:\r\n\r\ngroup-policy <span style=\"color:#0000cd;\">L2TP_IPSEC_POLICY<\/span> internal<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\tand specify policy attributes:<\/p>\n<ul>\n<li>\n\t\t\twhere we&nbsp;specifies L2TP\/IPsec as the vpn tunneling protocol<span style=\"font-family: Arial, Helvetica, sans-serif; font-size: 12.236px;\">.<\/span><\/li>\n<li>\n\t\t\tand we instruct ASA to assign DNS server IP address to a client for the group policy.<\/li>\n<\/ul>\n<pre>\r\n! command:\r\n! group-policy NAME attributes\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dns-server value &lt;dns_server&gt;\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; vpn-tunnel-protocol l2tp-ipsec\r\n! \r\n! which for my case is:\r\n\r\ngroup-policy <span style=\"color:#0000cd;\">L2TP_IPSEC_POLICY<\/span> attributes\r\n       dns-server value 158.193.152.2\r\n       vpn-tunnel-protocol l2tp-ipsec<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t10. Now we may either to create a new connection profile (tunnel group) (works with limitations) or just to modify the attributes of the existing <em>DefaultRAGroup <\/em>(<strong>works without problems<\/strong>). Then we define general-attributes of the tunnel group that will be used.<\/p>\n<ul>\n<li>\n\t\t\tMap defined group policy to the tunnel group<\/li>\n<li>\n\t\t\tMap defined address pool to be used by this connection profile (tunnel group)<\/li>\n<li>\n\t\t\t<span style=\"background-color:#ffff00;\">Optionally specifies a method to authenticate users attempting L2TP over IPsec connections, for the connection profile (tunnel group). If we are not using the ASA to perform local authentication, add fallback to local authentication specifying &nbsp;LOCAL to the end of the command.<\/span><\/li>\n<\/ul>\n<p>\n\t\t&nbsp;<\/p>\n<pre>\r\n! !! modify default profile\r\n!\r\n! tunnel-group DefaultRAGroup general-attributes\r\n!            default-group-policy OUR_POLICY\r\n!            address-pool OUR_ADDRESS_POOL\r\n!&nbsp;           authentication-server-group NAME_OF_AAA_SOURCES LOCAL\r\n! \r\n! or create a new one\r\n!\r\n! tunnel-group NAME_OF_NEW_TUNNEL_GROUP_PROFILE type remote-access\r\n!\r\n! tunnel-group NAME_OF_NEW_TUNNEL_GROUP_PROFILE general-attributes\r\n!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; default-group-policy OUR_POLICY\r\n!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; address-pool OUR_ADDRESS_POOL\r\n!\r\n! for my case i&#39;ve tiredto create a new tunnel group for l2tp only\r\n! \r\n\r\ntunnel-group KIS_L2TP_PROFILE type remote-access\r\n\r\ntunnel-group KIS_L2TP_PROFILE general-attributes\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; default-group-policy <span style=\"color:#0000cd;\">L2TP_IPSEC_POLICY<\/span>\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; address-pool <span style=\"color:#b22222;\">KIS_L2TP_POOL<\/span>\r\n<\/pre>\n<hr \/>\n<p>\n\t\t<strong>Important Note<\/strong>: after some testing I need to mention, that using own profile (tunnel-group) is a problem. Using win 10 build in l2tp client there is no possibility to setup and define tunnel group name (profile). Than on my ASA box&nbsp;I have received following error messages:<\/p>\n<pre>\r\nkis-asa-5515X# debug crypto ikev1\r\nkis-asa-5515X# Mar 01 20:06:14 [IKEv1]Group = 37.61.161.245, IP = 37.61.161.245,<span style=\"background-color: rgb(255, 255, 0);\">Can&#39;t find a valid tunnel group, aborting...!<\/span>\r\nMar 01 20:06:15 [IKEv1]IP = 37.61.161.245, Header invalid, missing SA payload! (next payload = 4)\r\n...<\/pre>\n<div>\n\t\tSome tutorials, as&nbsp;<a href=\"https:\/\/popravak.wordpress.com\/2013\/03\/06\/l2tpipsec-with-windows-8-and-cisco-asa-8-x9-x\/\" rel=\"bookmark\">L2TP\/IPSec with Windows 8\/7 and Cisco ASA&nbsp;8.x\/9.x<\/a>,&nbsp;explicitly note that&nbsp;<\/div>\n<blockquote><p>\n\t\t<em>&quot;If we authenticate devices with pre-shared keys, we must use &ldquo;DefaultRAGroup&rdquo; tunnel group&quot;<\/em><\/p><\/blockquote>\n<div>\n\t\t&nbsp;<\/div>\n<div>\n\t\tTesting L2TP client on my android smart phone, which is using Android version 5, there is an options called&nbsp;<strong>IPSec ID &nbsp;<\/strong>where is possible to define a tunnel group, this can be then correctly processed by ASA.&nbsp;<\/div>\n<div>\n\t\t&nbsp;<\/div>\n<div>\n\t\tHowever, due to flexibility I&#39;m going back and I&#39;ll modify a default group profile:<\/div>\n<div>\n\t\t&nbsp;<\/div>\n<div>\n<pre>\r\ntunnel-group DefaultRAGroup general-attributes\r\n    default-group-policy L2TP_IPSEC_POLICY\r\n    address-pool KIS-VPN-POOL\r\n\r\ntunnel-group DefaultRAGroup ipsec-attributes\r\n    ikev1 pre-shared-key ******\r\n<\/pre>\n<\/p><\/div>\n<hr \/>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t11. Now we specify the PPP authentication protocol for the tunnel group. Don&#39;t forgett that for PPP authentication only PAP, MS-CHAPv1, or MS-CHAPv2 (preferred) are supported<\/p>\n<pre>\r\n! hostname(config)# tunnel-group <em>NAME_OF_NEW_TUNNEL_GROUP_PROFILE <\/em>ppp-attributes\r\n! hostname(config-ppp)# authentication ms-chap-v1\r\n!\r\n! in my case\r\n\r\ntunnel-group KIS_L2TP_PROFILE&nbsp;ppp-attributes\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no authentication pap\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no authentication chap\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; no authentication ms-chap-v1\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; authentication ms-chap-v2\r\n<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t12.Now we will define the pre-shared key for our tunnel group (connection profile)<\/p>\n<pre>\r\n! tunnel-group DefaultRAGroup ipsec-attributes\r\n!            pre-shared-key *\r\n!\r\n!\r\n! in my case\r\n\r\ntunnel-group KIS_L2TP_PROFILE <span style=\"font-family: Verdana, Geneva, Arial, Helvetica, sans-serif;\">ipsec-attributes<\/span>\r\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ikev1 pre-shared-key ****PASSWORD****<\/pre>\n<p>\n\t\t<strong>Checking<\/strong> the <a href=\"https:\/\/nil.uniza.sk\/en\/practical-cisco\/asa\/asa-how-show-ike-pre-shared-key-psk-recovery\/\">PSK key:<\/a><\/p>\n<pre>\r\nmore system:running-config | in shared<\/pre>\n<h2>\n\t\t&nbsp;<\/h2>\n<h2 id=\"Configurations\">\n\t\tFinal configuration<\/h2>\n<p>\n\t\tHere is working final configuration gathered from previous steps, that look like:<\/p>\n<pre>\r\n! account for a local authentication\r\nusername skuska password **** mschap\r\n\r\n! pool of addresses used to assing to l2tp cliets\r\nip local pool KIS_L2TP_VPN_POOL 10.0.255.1-10.0.255.254 mask 255.255.255.0\r\n\r\n! ikev1\r\ncrypto ikev1 enable outside\r\ncrypto ikev1 policy 10\r\n    authentication pre-share\r\n    encryption 3des\r\n    hash sha\r\n    group 2\r\n    lifetime 86400\r\n\r\n! IPsec\r\n! one transform set\r\ncrypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac\r\ncrypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport\r\n\r\n!another TS\r\ncrypto ipsec transform-set ESP-AES-SHA-TRANS esp-aes esp-sha-hmac \r\ncrypto ipsec transform-set ESP-AES-SHA-TRANS mode transport\r\n\r\n! dynamic crypto map\r\ncrypto dynamic-map L2TP-VPN-DYN-MAP 10 set ikev1 transform-set ESP-3DES-SHA-TRANS ESP-AES-SHA-TRANS\r\n\r\n! mapping dynamic crypto map to a crypto map\r\ncrypto map L2TP-VPN 10 ipsec-isakmp dynamic L2TP-VPN-DYN-MAP\r\n\r\n! applying crypto map to the interface\r\ncrypto map L2TP-VPN interface outside\r\n\r\n! l2tp policy\r\ngroup-policy L2TP_IPSEC_POLICY internal\r\n\r\ngroup-policy L2TP_IPSEC_POLICY attributes\r\n    dns-server value 158.193.152.2\r\n    vpn-tunnel-protocol l2tp-ipsec\r\n\r\n! modifying default tunnel profile\r\ntunnel-group DefaultRAGroup general-attributes\r\n    default-group-policy L2TP_IPSEC_POLICY\r\n    address-pool KIS-VPN-POOL\r\n\r\n! ppp attrib\r\ntunnel-group DefaultRAGroup ppp-attributes\r\n    no authentication pap\r\n    no authentication chap\r\n    no authentication ms-chap-v1\r\n    authentication ms-chap-v2<span class=\"Apple-tab-span\"> <\/span>\r\n\r\ntunnel-group DefaultRAGroup ipsec-attributes\r\n    ikev1 pre-shared-key ***\r\n<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<h3>\n\t\t5. AAA authentication<\/h3>\n<p>\n\t\tHere described configuration is using for authentication purposes LOCAL database of accounts. I&#39;m using central MS Active directory controller for that. Now i will just add a small configuration how to authenticate users of L2TP VPN against MS AD. The AD service of course have to run within your network.<\/p>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t5.1 define AAA server<\/p>\n<pre>\r\n! aaa-server NAME protocol radius\r\n! aaa-server NAME (interface) host IP ADDRESS\r\n!  key *****\r\n!\r\n! which is in my case\r\n\r\naaa-server KIS-PDC protocol radius\r\naaa-server KIS-PDC (vlan10) host 192.168.10.2\r\n key *****<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t5.2 Modify tunnel group general parameters to add AAA server<\/p>\n<p>\n\t\tHere is used config<\/p>\n<pre>\r\ntunnel-group DefaultRAGroup general-attributes\r\n    default-group-policy L2TP_IPSEC_POLICY\r\n    address-pool KIS-VPN-POOL<\/pre>\n<p>\n\t\twhich is extended with<\/p>\n<pre>\r\nauthentication-server-group KIS-PDC<\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\tfinal block look like:<\/p>\n<pre>\r\ntunnel-group DefaultRAGroup general-attributes\r\n    default-group-policy L2TP_IPSEC_POLICY\r\n    address-pool KIS-VPN-POOL\r\n    <span style=\"background-color:#ffffe0;\">authentication-server-group KIS-PDC<\/span><\/pre>\n<p>\n\t\t&nbsp;<\/p>\n<p>\n\t\t&nbsp;<\/p>\n<h2>\n\t\tNAT and ACL<\/h2>\n<p>\n\t\tDo not forgett to solve the NAT and ACL!&nbsp;<\/p>\n<p>\n\t\t&nbsp;<\/p>\n<p><\/p>\n<h2>\n\t\tSetting a L2TP client<\/h2>\n<h3>\n\t\tConfiguring Android 5.0.2, core 3.4.0+<\/h3>\n<ol>\n<li>\n\t\t\tOpen the menu and choose <strong>Settings<\/strong><\/li>\n<li>\n\t\t\tSelect <strong>Tethering and Netowrks<\/strong><\/li>\n<li>\n\t\t\tSelect <strong>VPN<\/strong><\/li>\n<li>\n\t\t\tSelect <strong>Add VPN<\/strong><\/li>\n<li>\n\t\t\tThen set VPN name, VPN type (L2TP\/IPSec PSK), Server IP address and set IPSec &nbsp;pre-shared key&nbsp;(password)&nbsp;<\/li>\n<li>\n\t\t\tDo not set L2TP secret<\/li>\n<li>\n\t\t\tOpen the menu and choose Save<\/li>\n<li>\n\t\t\tThen Select just created VPN<\/li>\n<li>\n\t\t\tSet user name nad password<\/li>\n<li>\n\t\t\tCheck Save account information<\/li>\n<li>\n\t\t\tclick on Connect &#8230;Done<\/li>\n<\/ol>\n<p>\n\t\t&nbsp;<\/p>\n<h3>\n\t\tWin10<\/h3>\n<p>\n\t\tNice tutorial with images is available at <a href=\"https:\/\/www.cactusvpn.com\/tutorials\/how-to-set-up-l2tp-vpn-on-windows-10\/\">https:\/\/www.cactusvpn.com\/tutorials\/how-to-set-up-l2tp-vpn-on-windows-10\/<\/a><\/p>\n<p>\n\t\tSo:<\/p>\n<ol>\n<li>\n\t\t\tOpen &quot;Network and Sharing center&quot;,<\/li>\n<li>\n\t\t\tSelect &quot;Set up a new connection or network&quot;<\/li>\n<li>\n\t\t\tSelect &quot;Connect to a workplace&quot;, click &quot;Next&quot;, select &quot;Use my Internet connection (VPN)&quot;, then<\/li>\n<li>\n\t\t\tSet ASA&#39;s IP address into a Internet address form and select descriptive name to a &quot;Destination name&quot; form, and click create.<\/li>\n<li>\n\t\t\tOnce created go back to &quot;Network and Sharing center&quot;, and from left menu select &nbsp;&quot;Change adapter settings&quot;, you should see all your network adapters, among them your just created L2TP VPN adapter, you may notice that under adapter name is written IKEv2. So we need to modify the settings.<\/li>\n<li>\n\t\t\tRight click on l2tp adapter, select &quot;Properties&quot;, choose &quot;Security&quot; tabs and there set correct &quot;Type of VPN&quot; to L2TP\/IPsec<\/li>\n<li>\n\t\t\tThen click on &quot;Advanced settings&quot; under of &quot;Types of VPN&quot;, where you should setup your pre-shared key.<\/li>\n<li>\n\t\t\tClick on &quot;Ok&quot; and you will go back to Adapter properties window.<\/li>\n<li>\n\t\t\tAs &quot;Data enccyption&quot; choose &quot;Maximal strenght &#8230;&quot;<\/li>\n<li>\n\t\t\twithin &quot;Authentication&quot; select &quot;Allow these protocols&quot; and select Microsoft CHAP v2 (ms-chap-v2). Click on Yes.<\/li>\n<li>\n\t\t\tNow make a right click on the L2TP adapter and select Connect, and then again Connect.<\/li>\n<li>\n\t\t\tSystem will prompt you for Username and Password<\/li>\n<\/ol>\n<h2>\n\t\t&nbsp;<\/h2>\n<h2>\n\t\tVerification and tshooting<\/h2>\n<p>\n\t\tUse these commands to confirm that your connection works properly.<\/p>\n<ul>\n<li>\n\t\t\tterminal monitor (see debuging info on your vty session)<\/li>\n<li>\n\t\t\tshow run crypto ikev1(8.3.2.12+)<\/li>\n<li>\n\t\t\tshow run crypto dynamic-map<\/li>\n<li>\n\t\t\tshow run crypto ipsec<\/li>\n<li>\n\t\t\tshow vpn-sessiondb ra-ikev1-ipsec (8.3.2.12+)<\/li>\n<li>\n\t\t\tshow vpn-sessiondb remote (8.2.5)<\/li>\n<li>\n\t\t\tdebug crypto ikev1<\/li>\n<li>\n\t\t\tmore system:running-config | in shared<\/li>\n<li>\n\t\t\tsh crypto ipsec sa (see connected users)<\/li>\n<\/ul>\n<\/div>\n<h2>\n\t&nbsp;<\/h2>\n<h2>\n\tTshooting of observed problems<\/h2>\n<p>\n\tSome of problem solving I had already mentioned. Just repeat:<\/p>\n<h3>\n\tOwn tunnel-group problem<\/h3>\n<p>\n\tDebug output similar for both L2tp clients trying to access (Android, Win)&nbsp;<\/p>\n<div>\n<pre>\r\nkis-asa-5515X# Feb 29 20:40:54 [IKEv1]Group = 37.61.161.245, IP = 37.61.161.245,<span style=\"background-color:#ffff00;\"> Can&#39;t find a valid tunnel group, aborting...!<\/span>\r\nFeb 29 20:40:57 [IKEv1]IP = 37.61.161.245, Header invalid, missing SA payload! (next payload = 4)\r\nFeb 29 20:40:59 [IKEv1]IP = 37.61.161.245, Header invalid, missing SA payload! (next payload = 4)<\/pre>\n<div>\n\t\t<strong>Reason<\/strong>: I had used mu own tunnel group and ASA from incoming session can not find a valid tunnel group. S<\/div>\n<div>\n\t\t<strong>Solution<\/strong>: &quot;<em>If we authenticate devices with pre-shared keys, we must use &ldquo;DefaultRAGroup&rdquo; tunnel group&quot;<\/em><\/div>\n<div>\n\t\t&nbsp;<\/div>\n<\/div>\n<h3>\n\tBad IPsec Password<\/h3>\n<p>\n\tOnce you make a mistype on your password you may receive following message:<\/p>\n<pre>\r\nkis-asa-5515X# Mar 01 20:36:46 [IKEv1]Group = DefaultRAGroup, IP = 37.61.161.245, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0\r\n\r\nMar 01 20:36:46 [IKEv1]Group = DefaultL2LGroup, IP = 37.61.161.245, <span style=\"background-color:#ffff00;\">ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting<\/span><\/pre>\n<div>\n\t&nbsp;<\/div>\n<h3>\n\tQM FSM Error<\/h3>\n<p>\n\tRunning debug crypto ikev1 we may observe the message:<\/p>\n<pre>\r\nkis-asa-5515X# Mar 01 22:06:08 [IKEv1]Group = DefaultRAGroup, IP = 37.61.161.245,<span style=\"background-color:#ffff00;\"> QM FSM error<\/span> \r\n(P2 struct &amp;0x00007fff2ef9bf50, mess id 0x1)!\r\n\r\nMar 01 22:06:08 [IKEv1]Group = DefaultRAGroup, IP = 37.61.161.245, Removing peer from correlator \r\ntable failed, no match!\r\n\r\nMar 01 22:06:08 [IKEv1]Group = DefaultRAGroup, IP = 37.61.161.245, Session is being torn down.\r\n Reason: Phase 2 Mismatch\r\n<\/pre>\n<div>\n<p>\n\t\tPossible reason is mismatching of the transform set parameters.<\/p>\n<p>\n\t\t&nbsp;<\/p>\n<h3>\n\t\tBad PPP name \/ password<\/h3>\n<p>\n\t\tWindows print<\/p>\n<p>\n\t\t<img decoding=\"async\" alt=\"\" src=\"\/wp-content\/uploads\/files\/image\/Cisco-practical\/l2tp\/l2tp1.png\" style=\"width: 250px; height: 128px;\" \/><\/p>\n<p>\n\t\twhich means:<\/p>\n<p>\n\t\t1) windows side: bad combination of username and password<\/p>\n<p>\n\t\t2) on asa side: local account created without using mschap attribute<\/p>\n<p>\n\t\t&nbsp;<\/p>\n<\/div>\n<h2>\n\tHelpfull links<\/h2>\n<ul>\n<li>\n\t\t<a href=\"http:\/\/www.cisco.com\/en\/US\/docs\/security\/asa\/asa84\/configuration\/guide\/vpn_l2tp_ipsec.html#wp1043201\" rel=\"nofollow\">Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6: Configuring L2TP over IPsec<\/a><\/li>\n<li>\n\t\t<a href=\"http:\/\/www.cisco.com\/en\/US\/docs\/security\/asa\/asa83\/configuration\/guide\/nat_overview.html\" rel=\"nofollow\">Cisco ASA 5500 Series Configuration Guide using the CLI, 8.3: Information about NAT<\/a><\/li>\n<li>\n\t\t<a href=\"http:\/\/www.cisco.com\/c\/en\/us\/support\/docs\/security-vpn\/ipsec-negotiation-ike-protocols\/5409-ipsec-debug-00.html\">IPsec Troubleshooting: Understanding and Using debug Commands<\/a><\/li>\n<\/ul>\n<p>\n\t&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"footnotes":""},"categories":[749],"tags":[],"class_list":["post-659","post","type-post","status-publish","format-standard","hentry","category-asa-en"],"taxonomy_info":{"category":[{"value":749,"label":"ASA"}]},"featured_image_src_large":false,"author_info":{"display_name":"admin","author_link":"https:\/\/nil.uniza.sk\/en\/author\/admin\/"},"comment_info":10,"category_info":[{"term_id":749,"name":"ASA","slug":"asa-en","term_group":0,"term_taxonomy_id":747,"taxonomy":"category","description":"","parent":747,"count":5,"filter":"raw","cat_ID":749,"category_count":5,"category_description":"","cat_name":"ASA","category_nicename":"asa-en","category_parent":747}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/659","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/comments?post=659"}],"version-history":[{"count":0,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/posts\/659\/revisions"}],"wp:attachment":[{"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/media?parent=659"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/categories?post=659"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nil.uniza.sk\/en\/wp-json\/wp\/v2\/tags?post=659"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}