Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1370
Views
5
Helpful
4
Replies

Problem with L2TP - Win7 machines won't install route to network

Go to solution
baskervi
Level 1
Level 1

‎09-19-2017 06:53 PM - edited ‎03-12-2019 04:33 AM

I've configured a L2TP/IPSec VPN on an ASA running 9.1(7)19, and I can connect just fine, but I cannot reach the remote end. If I type "netstat -rn" the route is not installed. I've turned on debugging, and no where do I see any information on the remote network, and in the Windows logs, all I see is information regarding the IP address that was handed out. Can any assist? Thanks

 

Here is the ASA VPN configuration:

 

ip local pool VPNPOOL 192.168.34.1-192.168.34.32

object network obj-192.168.0.0
subnet 192.168.0.0 255.255.255.0

object network obj-192.168.34.0
subnet 192.168.34.0 255.255.255.0

access-list SPLIT-TUNNEL standard permit 192.168.0.0 255.255.255.0

nat (inside,any) source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.34.0 obj-192.168.34.0 no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-CLI mode transport
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set ESP-3DES-SHA-CLI
crypto map VPN-MAP 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map VPN-MAP interface outside

crypto isakmp identity hostname
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

group-policy L2TP-VPN internal
group-policy L2TP-VPN attributes
dns-server value 192.168.0.16
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value domain.local

tunnel-group DefaultRAGroup general-attributes
address-pool VPNPOOL
default-group-policy L2TP-VPN
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
GioGonza
Level 4
Level 4
In response to baskervi

‎09-22-2017 08:43 AM

Hello @baskervi,

In order to make L2TP to use Split-Tunnel on the ASA you need to do what you mentioned before but also you need to add this command "intercept-dhcp enable" under the group-policy.

This is the link for reference: https://www.petenetlive.com/KB/Article/0000571

HTH

Gio

View solution in original post

4 Replies 4

Go to solution
baskervi
Level 1
Level 1

‎09-19-2017 06:59 PM

Let me add in I can connect to the same ASA with AnyConnect and the route installs just fine. We need additional VPN clients, hence the reason to use L2TP Windows clients.

0 Helpful

Go to solution
baskervi
Level 1
Level 1
In response to baskervi

‎09-19-2017 07:17 PM

I may have just figured this out. Under Windows and the TCP/IPv4 settings, I had unchecked "Use default gateway on remote network." If I check this box, I can get to the network behind the firewall but not to the Internet. From what I've read tonight, L2TP/IPSec doesn't support split tunnels. This will work.

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to baskervi

‎09-22-2017 08:43 AM

Hello @baskervi,

In order to make L2TP to use Split-Tunnel on the ASA you need to do what you mentioned before but also you need to add this command "intercept-dhcp enable" under the group-policy.

This is the link for reference: https://www.petenetlive.com/KB/Article/0000571

HTH

Gio

Go to solution
baskervi
Level 1
Level 1
In response to GioGonza

‎09-22-2017 10:12 AM

Great information. This is just what I needed. Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents