09-19-2017 06:53 PM - edited 03-12-2019 04:33 AM
I've configured a L2TP/IPSec VPN on an ASA running 9.1(7)19, and I can connect just fine, but I cannot reach the remote end. If I type "netstat -rn" the route is not installed. I've turned on debugging, and no where do I see any information on the remote network, and in the Windows logs, all I see is information regarding the IP address that was handed out. Can any assist? Thanks
Here is the ASA VPN configuration:
ip local pool VPNPOOL 192.168.34.1-192.168.34.32
object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0
object network obj-192.168.34.0
subnet 192.168.34.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0
nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.34.0 obj-192.168.34.0 no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI mode transport
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set ESP-3DES-SHA-CLI
crypto map VPN-MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map VPN-MAP interface outside
crypto isakmp identity hostname
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
dns-server value 192.168.0.16
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value domain.local
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPOOL
default-group-policy L2TP-VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
Solved! Go to Solution.
09-22-2017 08:43 AM
09-19-2017 06:59 PM
Let me add in I can connect to the same ASA with AnyConnect and the route installs just fine. We need additional VPN clients, hence the reason to use L2TP Windows clients.
09-19-2017 07:17 PM
I may have just figured this out. Under Windows and the TCP/IPv4 settings, I had unchecked "Use default gateway on remote network." If I check this box, I can get to the network behind the firewall but not to the Internet. From what I've read tonight, L2TP/IPSec doesn't support split tunnels. This will work.
09-22-2017 08:43 AM
09-22-2017 10:12 AM
Great information. This is just what I needed. Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide