Solved: Re: Remote Access VPN for ASA (FPR1010s) using Windows & L2TP opti

TRENT WAITE · ‎07-05-2024

For a long while we have been reliant on using ASA's L2TP remote access VPN for users to connect to remote sites to access devices that did not have gateway's configured. For this we used the Windows built-in L2TP client, however as Cisco has depreciated the encryption in later ASA versions this is no longer usable. It is my understanding that AnyConnect can not be used as an alternative.

So my question to the community is what tools are available if I need to connect to a FPR1010 from Windows 10/11 and access devices that have no gateway (i.e. essentially needing L2TP). When we use a Sonicwall SSLVPN this has not been an issue as we can essentially create a tunnel and have the client on the same subnet.

jelloyd · ‎07-08-2024

You can also tailor the built-in Windows L2TP/IPSec client to offer updated ciphers/algorithms to the FPR1010. You can do this in PowerShell using the following syntax:

Set-VpnConnectionIPsecConfiguration -ConnectionName L2TP -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES256 -DHGroup Group14 -EncryptionMethod AES256 -IntegrityCheckMethod SHA1 -PfsGroup PFS2048 -Force

In the example above, the L2TP/IPSec connection name that I created is "L2TP".

The IKEv1 phase 1 parameters are:

AES256/SHA/DH Group14

The IKEv1 phase 2 settings are:

AES256/SHA/PFS Group14

FPR1010 debugs show the custom offer being sent:

# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 40
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Group Description: Group 14
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 00 70 80

You can refer to this for details on how to change the ciphers/algorithms. It's for IKEv2, but the concept is the same for any IPSec-based VPN connection profile that you create with the built-in Windows client:

https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections#ikev2-crypto-settings-example

View solution in original post

Karsten Iwen · ‎07-05-2024

The Anyconnect RA-VPN on ASA/FTD can be configured so that the client is assigned an IP from the device's LAN interface.

tvotna · ‎07-06-2024

Also, from the documentation: "Secure Client is the only client supported on endpoint devices for remote VPN connectivity to threat defense devices". This is a purely marketing (non-technical) restriction which doesn't exist on ASA. So, you don't have other options if you want to use FTD on FPR1010.

Karsten Iwen · ‎07-06-2024

Marketing? Yes! But AnyConnect is far superior to L2TP RAVPN, and rumors say that only one customer was left using L2TP.

MHM Cisco World · ‎07-07-2024

Hi Friend
sorry I read your post but it summer and Europa League matches so I have little time
but anyway

you can run l2tp over IPsec
and the client will get IP from Pool in same subnet as Inside server so technically client and server connect in same subnet

https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.html

MHM

TRENT WAITE · ‎07-08-2024

MHM,

This is actually no longer a viable solution as Cisco has depreciated numerous items in their latest ASA OS version. I can no longer use DES. 3DES. DH group 2, 5, etc.. Problem here is that for Windows built in L2TP client it requires 3DES.

The ASA comes with if I remember correctly a built in license for 2 'admins' for Anyconnect. Looking at a more recent FPR1010 I see I have licensed count of 75 for Anyconnect Premium Peers and Anyconnect Essentials is disabled. Years back I believe the old 5500 and 5506 came with Anyconnect for the admin but the software package was not installed on the device.

We use the ASA's for site to site VPNs, and unfortunately came across the one instance where a contractor put in a FPR1010 with the desired use for remote access VPN. The ASA has I think v9.18. Will we need to purchase an additional Anyconnect license to download the package files that need to be installed on the ASA? On the user end they already have the Cisco Secure Client installed in use for a different project.

Karsten Iwen · ‎07-08-2024

If you need to provide AnyConnect RA services, you need to buy a licence for this device or for the users (there are different ways to buy the licenses). The base AnyConnect (or Cisco Secure Client what is the actual name) license is not that expensive.

The order code is L-AC-PLS-LIC= where you choose the amount of users (minimum 25) and the length of the subscription (like 3 or 5 years).

MHM Cisco World · ‎07-08-2024

Do I need anyconnect license? Yes but as i know fw come with 3 anyconnect free' you can use it to try l2tp over ipsec before buy any license.

3des needed ? Yes it need and cisco give it license for free

DH group 2 ? Here I can not answer y0u but sure new window support dh group other than 2' dh group 2 is legacy.

MHM

tvotna · ‎07-08-2024

@TRENT WAITE, just to clarify: FPR1010 uses smart licensing, which means you don't need to (and actually cannot) install anyconnect licenses onto ASA.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/general/asa-919-general-config/intro-license-smart.html#concept_tgl_532_ry

Each firepower model comes unlocked to the max VPN hardware capacity by default. You only need 3DES license, which is free, and an AnyConnect license(s) to be compliant and to be able to download .pkg file from cisco.com. And you don't actually need this file on ASA if users already have AnyConnect installed (CSCvz88858).

jelloyd · ‎07-08-2024