Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1299
Views
0
Helpful
2
Replies

L2TP Windows 7, split-tunnel and site-to-site

Go to solution
Damir Reic
Level 1
Level 1

‎01-15-2015 02:43 PM

Hi all,

 

i am having this interesting problem that drives me crazy whole day. I have ASA 5505 (ver 9) where i configured site-to-site VPN to other router and that works. Then i configured L2TP IPsec VPN on ASA with split tunneling and i can reach my local network. The problem is when i am trying to reach that remote network that is behind that site-to-site VPN. Whatever i do, i am not able to reach that network. This same exact setup works on different ASA with AnyConnect VPN.

 

So this is what i did:

1) Add VPN subnet as 2nd SA to existing site-to-site VPN

2) Configured NAT exemption for VPN subnet when going to remote subnet

3) Published that remote subnet to VPN client.

 

This should do the trick as it does when AnyConnect is in question.

 

I'll paste few commands that are relevant:

 

ip local pool VPN_POOL 192.168.255.100-192.168.255.235 mask 255.255.255.0

object network L2TP-VPN-subnet
 subnet 192.168.255.0 255.255.255.0

 

 

access-list outside_cryptomap extended permit ip 192.168.17.0 255.255.255.0 object Site-172.16.17.0
access-list outside_cryptomap extended permit ip 192.168.255.0 255.255.255.0 object Site-172.16.17.0
access-list Split-Tunnel-ACL standard permit 192.168.17.0 255.255.255.0
access-list Split-Tunnel-ACL standard permit 172.16.17.0 255.255.255.0

 

nat (inside,outside) source static inside-network inside-network destination static Site-172.16.17.0 Azure-172.16.17.0 no-proxy-arp 
nat (inside,outside) source static inside-network inside-network destination static L2TP-VPN-subnet L2TP-VPN-subnet no-proxy-arp route-lookup
nat (inside,outside) source static L2TP-VPN-subnet L2TP-VPN-subnet destination static Site-172.16.17.0 Site-172.16.17.0 no-proxy-arp route-lookup

group-policy VPN_L2TP_IPSEC internal
group-policy VPN_L2TP_IPSEC attributes
 dns-server value 172.16.17.4
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel-ACL
 default-domain value ****.com
 split-dns value ****.com
 intercept-dhcp 255.255.255.0 enable

tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_POOL
 default-group-policy VPN_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2

 

Anyone managed to get this setup working? I am assuming i am missing some minor details here but i can't see what. Maybe this can't work with L2TP?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
AllertGen
Level 3
Level 3

‎01-16-2015 02:40 AM

Hello, .

What for are you using NAT for L2TP-VPN? Split tunneling is helping your users go to internet direcrly so you don't need to use NAT. Also it can be a source of the problem because NAT works before site-to-site VPN. So traffic from your remote users could be changed by NAT and the source IP address of this traffic wi'll be different. And because of this it's not hiting rules of your site-to-site VPN.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Damir Reic
Level 1
Level 1

‎01-16-2015 02:24 AM

And the problem was:

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

 

After i did this it started to work.

0 Helpful

Go to solution
AllertGen
Level 3
Level 3

‎01-16-2015 02:40 AM

Hello, .

What for are you using NAT for L2TP-VPN? Split tunneling is helping your users go to internet direcrly so you don't need to use NAT. Also it can be a source of the problem because NAT works before site-to-site VPN. So traffic from your remote users could be changed by NAT and the source IP address of this traffic wi'll be different. And because of this it's not hiting rules of your site-to-site VPN.

0 Helpful
Customers Also Viewed These Support Documents