65-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter65 Configuring L2TP over IPsec
Configuring L2TP over IPsec
IPv6 Guidelines
There is no native IPv6 tunnel setup support for L2TP over IPsec.
Authentication Guidelines
The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local
database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user
belongs to a tunnel group configured with the authentication eap-proxy or authentication chap
commands, and the ASA is configured to use the local database, that user will not be able to connect.
Supported PPP Authentication Types
L2TP over IPsec connections on the ASA support only the PPP authentication types shown in
Table65-1.
Configuring L2TP over IPsec
This section provides the required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients,
integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP
over IPsec protocol.
Table 6 5-1 AAA Server Support and PPP Authentication Types
AAA Server Type Supported PPP Authentication Types
LOCAL PAP, MSCHAPv1, MSCHAPv2
RADIUS PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy
TACACS+ PAP, CHAP, MSCHAPv1
LDAP PAP
NT PAP
Kerberos PAP
SDI SDI
Table65-1 PPP Authentication Type Characteristics
Keyword Authentication Type Characteristics
chap CHAP In response to the server challenge, the client returns the encrypted
[challenge plus password] with a cleartext username. This protocol
is more secure than the PAP, but it does not encrypt data.
eap-proxy EAP Enables EAP which permits the security appliance to proxy the
PPP authentication process to an external RADIUS authentication
server.
ms-chap-v1
ms-chap-v2
Microsoft CHAP,
Vers io n 1
Microsoft CHAP,
Vers io n, 2
Similar to CHAP but more secure in that the server stores and
compares only encrypted passwords rather than cleartext
passwords as in CHAP. This protocol also generates a key for data
encryption by MPPE.
pap PAP Passes cleartext username and password during authentication and
is not secure.