04-08-2016 08:32 AM - edited 02-21-2020 08:46 PM
Hi,
Is there anybody in the world operating an L2TP Over IPsec tunnel on Cisco ASA for native Windows clients and a fully functioning Split Tunnel Configuration?
I created an L2TP Over IPsec tunnel on out ASA 5520 running Software Version 9.1(6). My configuration is the following:
ip local pool VPN_USERS 172.23.32.1-172.23.33.255 mask 255.255.252.0
access-list ROUTING_SPLIT standard permit 192.168.0.0 255.255.0.0
access-list ROUTING_SPLIT standard permit 172.16.0.0 255.248.0.0
crypto ipsec ikev1 transform-set WIN10 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set WIN10 mode transport
crypto ipsec ikev1 transform-set WIN7 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set WIN7 mode transport
crypto dynamic-map DYNMAP 10 set ikev1 transform-set WIN10 WIN7
crypto dynamic-map DYNMAP 10 set reverse-route
crypto map CMAP 99 ipsec-isakmp dynamic DYNMAP
crypto map CMAP interface ipsec
crypto isakmp nat-traversal 29
crypto isakmp disconnect-notify
crypto ikev1 enable ipsec
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
exit
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
exit
group-policy EIK_USERS_RA internal
group-policy EIK_USERS_RA attributes
dns-server value 12.34.56.7 12.34.56.8
vpn-simultaneous-logins 2
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage disable
ip-comp enable
pfs enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ROUTING_SPLIT
default-domain value ad.nyme.hu
intercept-dhcp enable
user-authentication enable
address-pools value VPN_USERS
exit
tunnel-group DefaultRAGroup general-attributes
authentication-server-group challenger
accounting-server-group challenger
default-group-policy EIK_USERS_RA
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
exit
Now native Windows clients can connect using this tunnel group:
our-asa# show vpn-sessiondb remote
Session Type: IKEv1 IPsec
Username : w10vpn Index : 1
Assigned IP : 172.23.32.2 Public IP : 12.34.56.9
Protocol : IKEv1 IPsecOverNatT L2TPOverIPsecOverNatT
License : Other VPN
Encryption : IKEv1: (1)3DES IPsecOverNatT: (1)AES256 L2TPOverIPsecOverNatT: (1)none
Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1 L2TPOverIPsecOverNatT: (1)none
Bytes Tx : 1233 Bytes Rx : 10698
Group Policy : EIK_USERS_RA Tunnel Group : DefaultRAGroup
Login Time : 15:12:29 UTC Fri Apr 8 2016
Duration : 0h:01m:07s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
However, actual communication only takes place over the tunnel if I "Use default gateway on remote network". If I disable this option amongst IPv4 preferences of the virtual VPN interface in the Control Panel as advised in the section "Split Tunnel Configuration" of THIS DOCUMENT then Windows doesn't send any packets through the channel because it fails to fetch the routing table from the ASA. Split routing works perfectly when using legacy Cisco VPN Client with the very same group policy, but doesn't work with L2TP Over IPsec.
As far as I can see, the option "intercept-dhcp" is ineffective somehow. I even managed to sniff packets from the virtual PPP interface of a Windows XP machine, and I saw that windows sends its DHCP INFORM requests, but the ASA fails to respond. My question is why?
-Did I make some mistake in the configuration above?
-Can there be any option somewhere else in my running config which defuses intercept-dhcp?
-Or is there a software bug in my ASA firmware version? (BTW, I tried it with many different software versions without success?
Solved! Go to Solution.
04-27-2016 06:52 AM
Hi, I have the same problem like you have, but I was fortunate enough to be able to install version 9.2(4) on which this feature is working fine. I am suspecting that this is a bug, but I need to dig a little bit more. If I will find something interesting I will share it here.
04-27-2016 07:30 AM
OK, problem is solved. I created an l2tp/ipsec tunnel-group/group-policy complex using ASDM, which happened to work!!! Then I compared this config to my earlier manual one and realized that the key is "sysopt connection permit-vpn". My ASA configuration originally contained the option "no sysopt connection permit-vpn" which is incompatible with intercept-dhcp. Later it turned out that this is a known bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv39939
Moreover vpn-filters (necessitated by "sysopt connection permit-vpn") is also badly implemented: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsf99428
BTW, I can't upgrade to 9.2, since ASA 5520 only supports 9.1 or earlier.
04-27-2016 06:52 AM
Hi, I have the same problem like you have, but I was fortunate enough to be able to install version 9.2(4) on which this feature is working fine. I am suspecting that this is a bug, but I need to dig a little bit more. If I will find something interesting I will share it here.
04-27-2016 07:30 AM
OK, problem is solved. I created an l2tp/ipsec tunnel-group/group-policy complex using ASDM, which happened to work!!! Then I compared this config to my earlier manual one and realized that the key is "sysopt connection permit-vpn". My ASA configuration originally contained the option "no sysopt connection permit-vpn" which is incompatible with intercept-dhcp. Later it turned out that this is a known bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv39939
Moreover vpn-filters (necessitated by "sysopt connection permit-vpn") is also badly implemented: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsf99428
BTW, I can't upgrade to 9.2, since ASA 5520 only supports 9.1 or earlier.
04-27-2016 07:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Well, in fact the correct answer is this (but I didn't know how to denote it otherwise):
I created an l2tp/ipsec tunnel-group/group-policy complex using ASDM, which happened to work!!! Then I compared this config to my earlier manual one and realized that the key is "sysopt connection permit-vpn". My ASA configuration originally contained the option "no sysopt connection permit-vpn" which is incompatible with intercept-dhcp. Later it turned out that this is a known bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv39939
Moreover vpn-filters (necessitated by "sysopt connection permit-vpn") is also badly implemented: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsf99428
BTW, I can't upgrade to 9.2, since ASA 5520 only supports 9.1 or earlier.