Cisco ASA 5505 User Manual

Page 1405

Advertising
background image

65-15

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 65 Configuring L2TP over IPsec

Configuring L2TP over IPsec

Step 15

crypto isakmp nat-traversal

seconds

Example:

hostname(config)# crypto isakmp enable

hostname(config)# crypto isakmp nat-traversal 1500

(Optional) Enables NAT traversal so that
ESP packets can pass through one or more
NAT devices.

If you expect multiple L2TP clients behind
a NAT device to attempt L2TP over IPsec
connections to the adaptive security
appliance, you must enable NAT traversal.

To enable NAT traversal globally, check that
ISAKMP is enabled (you can enable it with
the crypto isakmp enable command) in
global configuration mode, and then use the
crypto isakmp nat-traversal command.

Step 16

strip-group

strip-realm

Example:

hostname(config)# tunnel-group DefaultRAGroup

general-attributes

hostname(config-tunnel-general)# strip-group

hostname(config-tunnel-general)# strip-realm

(Optional) Configures tunnel group
switching. The goal of tunnel group
switching is to give users a better chance at
establishing a VPN connection when they
authenticate using a proxy authentication
server. Tunnel group is synonymous with
connection profile.

Step 17

username

name password password mschap

Example:

asa2(config)# username jdoe password j!doe1 mschap

This example shows creating a user with the
username

jdoe

, the password

j!doe1.

The

mschap option specifies that the password is
converted to Unicode and hashed using
MD4 after you enter it.

This step is needed only if you are using a
local user database.

Step 18

crypto ikev1 policy

priority

group

Diffie-Hellman Group

Example:

hostname(config)# crypto ikev1 policy 5

hostname(config-ikev1-policy)# group 5

The crypto isakmp policy command creates
the IKE Policy for Phase 1 and assigns it a
number. There are several different
configurable parameters of the IKE policy
that you can configure.

You can also specify a Diffie-Hellman
Group for the policy.

The isakamp policy is needed so the ASA
can complete the IKE negotiation.

See the

“Creating IKE Policies to Respond

to Windows 7 Proposals” section on
page 65-16

for configuration examples for

Windows 7 native VPN clients.

Command

Purpose

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals