Configuring l2tp over ipsec – Cisco ASA 5505 User Manual

Page 1398

Advertising
background image

65-8

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 65 Configuring L2TP over IPsec

Configuring L2TP over IPsec

IPv6 Guidelines

There is no native IPv6 tunnel setup support for L2TP over IPsec.

Authentication Guidelines

The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local
database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user
belongs to a tunnel group configured with the authentication eap-proxy or authentication chap
commands, and the ASA is configured to use the local database, that user will not be able to connect.

Supported PPP Authentication Types

L2TP over IPsec connections on the ASA support only the PPP authentication types shown in

Table 65-1

.

Configuring L2TP over IPsec

This section provides the required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients,
integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP
over IPsec protocol.

Table 65-1

AAA Server Support and PPP Authentication Types

AAA Server Type

Supported PPP Authentication Types

LOCAL

PAP, MSCHAPv1, MSCHAPv2

RADIUS

PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy

TACACS+

PAP, CHAP, MSCHAPv1

LDAP

PAP

NT

PAP

Kerberos

PAP

SDI

SDI

Table 65-1

PPP Authentication Type Characteristics

Keyword

Authentication Type Characteristics

chap

CHAP

In response to the server challenge, the client returns the encrypted
[challenge plus password] with a cleartext username. This protocol
is more secure than the PAP, but it does not encrypt data.

eap-proxy

EAP

Enables EAP which permits the security appliance to proxy the
PPP authentication process to an external RADIUS authentication
server.

ms-chap-v1

ms-chap-v2

Microsoft CHAP,
Version 1

Microsoft CHAP,
Version, 2

Similar to CHAP but more secure in that the server stores and
compares only encrypted passwords rather than cleartext
passwords as in CHAP. This protocol also generates a key for data
encryption by MPPE.

pap

PAP

Passes cleartext username and password during authentication and
is not secure.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals