Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
486
Views
0
Helpful
3
Replies

Remote access via VPN client of Microsoft L2TP client and Cisco VPN Client

pixelplay
Level 1
Level 1

‎07-02-2007 07:09 AM - edited ‎02-21-2020 03:08 PM

I am trying to configure to make my both clients working with my PIX 515

Is it possible to configure in the same time or not?

As I understand there is a different between Cisco VPN Client and Microsoft client that they are using different transform sets (Tunnel/Transport)

1 person had this problem
Labels:
0 Helpful
3 Replies 3

ledinhan
Level 1
Level 1

‎07-07-2007 03:56 AM

i have the same case like you have. Pls help us!!!

0 Helpful

Florian Pressler
Level 1
Level 1

‎09-12-2007 03:53 AM

I currently want to achieve the same (this is why I found this post), but I've found no good way to do it yet.

It's not doable by tunnel-group-matching or similar tricks (I think), as the crypto-map comes logically before that. You can do matching of different transform-sets via the the crypto map match address statement, but this is of course not what you want - you want to be able to connect the ASA via L2TP/IPSEC AND IPSEC from ANYWHERE.

At least I can give a workaround: You can configure an access-list which permits L2TP-traffic and then match the transform set on that.

access-list L2TP extended permit udp any eq 1701 any

crypto dynamic-map DYNMAP 10 match address L2TP

WARNING: access-list has port selectors. This may impact performance.

So in the end the crypto map looks like this:

crypto ipsec transform-set IPSEC-TFSET esp-3des esp-sha-hmac

crypto ipsec transform-set L2TP-TFSET esp-3des esp-md5-hmac

crypto ipsec transform-set L2TP-TFSET mode transport

crypto dynamic-map DYNMAP 10 match address L2TP

crypto dynamic-map DYNMAP 10 set transform-set L2TP-TFSET

crypto dynamic-map DYNMAP 10 set reverse-route

crypto dynamic-map DYNMAP 20 set transform-set IPSEC-TFSET

crypto dynamic-map DYNMAP 20 set reverse-route

crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP

crypto map MYMAP interface outside

The downside of this method is presumable bad performance - note the warning. At least it works.

Regards,

Florian

0 Helpful

palomoj
Level 1
Level 1
In response to Florian Pressler

‎10-06-2007 07:48 AM

you can specify both tunnel and transport mode IPSEC transform-sets in a single dynamic-map sequence (sample below)

crypto dynamic-map DYNMAP 20 set transform-set IPSEC-TFSET L2TP-TFSET

0 Helpful
Customers Also Viewed These Support Documents