Hi,

Is there anybody in the world operating an L2TP Over IPsec tunnel on Cisco ASA for native Windows clients and a fully functioning Split Tunnel Configuration?

I created an L2TP Over IPsec tunnel on out ASA 5520 running Software Version 9.1(6). My configuration is the following:



ip local pool VPN_USERS 172.23.32.1-172.23.33.255 mask 255.255.252.0

access-list ROUTING_SPLIT standard permit 192.168.0.0 255.255.0.0
access-list ROUTING_SPLIT standard permit 172.16.0.0 255.248.0.0

crypto ipsec ikev1 transform-set WIN10 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set WIN10 mode transport
crypto ipsec ikev1 transform-set WIN7 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set WIN7 mode transport
crypto dynamic-map DYNMAP 10 set ikev1 transform-set WIN10 WIN7
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map CMAP 99 ipsec-isakmp dynamic DYNMAP
crypto map CMAP interface ipsec

crypto isakmp nat-traversal 29
crypto isakmp disconnect-notify
crypto ikev1 enable ipsec
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
exit
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
exit

group-policy EIK_USERS_RA internal
group-policy EIK_USERS_RA attributes
 dns-server value 12.34.56.7 12.34.56.8
 vpn-simultaneous-logins 2
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 password-storage disable
 ip-comp enable
 pfs enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ROUTING_SPLIT
 default-domain value ad.nyme.hu
 intercept-dhcp enable
 user-authentication enable
 address-pools value VPN_USERS
exit

tunnel-group DefaultRAGroup general-attributes
 authentication-server-group challenger
 accounting-server-group challenger
 default-group-policy EIK_USERS_RA
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
exit



Now native Windows clients can connect using this tunnel group:

our-asa# show vpn-sessiondb remote

Session Type: IKEv1 IPsec

Username     : w10vpn                 Index        : 1
Assigned IP  : 172.23.32.2            Public IP    : 12.34.56.9
Protocol     : IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
License      : Other VPN
Encryption   : IKEv1: (1)3DES  IPsecOverNatT: (1)AES256  L2TPOverIPsecOverNatT: (1)none
Hashing      : IKEv1: (1)SHA1  IPsecOverNatT: (1)SHA1  L2TPOverIPsecOverNatT: (1)none
Bytes Tx     : 1233                   Bytes Rx     : 10698
Group Policy : EIK_USERS_RA           Tunnel Group : DefaultRAGroup
Login Time   : 15:12:29 UTC Fri Apr 8 2016
Duration     : 0h:01m:07s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none


However, actual communication only takes place over the tunnel if I "Use default gateway on remote network". If I disable this option amongst IPv4 preferences of the virtual VPN interface in the Control Panel as advised in the section "Split Tunnel Configuration" of THIS DOCUMENT then Windows doesn't send any packets through the channel because it fails to fetch the routing table from the ASA. Split routing works perfectly when using legacy Cisco VPN Client with the very same group policy, but doesn't work with  L2TP Over IPsec.

As far as I can see, the option "intercept-dhcp" is ineffective somehow. I even managed to sniff packets from the virtual PPP interface of a Windows XP machine, and I saw that windows sends its DHCP INFORM requests, but the ASA fails to respond. My question is why?

-Did I make some mistake in the configuration above?

-Can there be any option somewhere else in my running config which defuses intercept-dhcp?

-Or is there a software bug in my ASA firmware version? (BTW, I tried it with many different software versions without success?