Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
0
Replies

ASA EasyVPN, Cisco VPN, L2TP/IPsec and AnyConnect VPN

fuhdan
Level 1
Level 1

‎11-29-2016 09:15 PM - edited ‎02-21-2020 09:04 PM

Hi all

I have an ASA 5505 with OS 9.1(7)

Currently I have the following VPN's configured.

  • EayVPN (Site2Site VPN).
  • SSL WebVPN (AnyConnect)
  • Cisco VPN (old Cisco VPN Client)

All is working fine. Now the customer needs to have a L2TP/IPsec VPN as well (Replacing the old Cisco VPN).

I tired this config:

ip local pool l2tp-clientpool x.x.x.x mask 255.255.255.0

access-list split_tunnel extended permit ip object OBJ1 object VPNClient_Subnet
access-list split_tunnel extended permit ip object OBJ2 object VPNClient_Subnet
access-list split_tunnel extended permit ip object-group EZVPN_subnets object VPNClient_Subnet

crypto ipsec ikev1 transform-set vpn-client esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-l2tp-client esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-l2tp-client mode transport
crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map vpn-client 10 set ikev1 transform-set vpn-client
crypto dynamic-map vpn-client 10 set security-association lifetime seconds 28800
crypto dynamic-map vpn-client 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map vpn-client 10 set reverse-route

crypto map peerX 80 ipsec-isakmp dynamic vpn-l2tp-client
crypto map peerX 100 ipsec-isakmp dynamic vpn-client
crypto map peerX interface outside

group-policy vpn_bwo_l2tp internal
group-policy vpn_bwo_l2tp attributes
 dns-server value x.x.x.x
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split_tunnel
 intercept-dhcp enable

username vpnuser password xxx nt-encrypted

tunnel-group DefaultRAGroup general-attributes
 address-pool l2tp-clientpool
 default-group-policy vpn_bwo_l2tp
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key xxx
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 authentication ms-chap-v2

With this, the L2TP/IPsec VPN works fine. I can connect with MAC and Windows as well as with mobile devices. But the EasyVPN and the Cisco VPN at not working any more.

If I switch:

crypto map peerX 100 ipsec-isakmp dynamic vpn-client

crypto map peerX 110 ipsec-isakmp dynamic vpn-l2tp-client
crypto map peerX interface outside

The L2TP/IPsec VPN is not working but EasyVPN and Cisco VPN are working.

Is there a way to configure L2TP/IPsec VPN along with EasyVPN? I can drop the Cisco VPN, if needed. But EasyVPN I need to have.

Thanks for any hint.

Best Regards, Daniel

2 people had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents