65-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter65 Configuring L2TP over IPsec
Configuring L2TP over IPsec
IKEv1 phase 1—3DES encryption with SHA1 hash method.
IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
Pre-shared key (only for iPhone).
Detailed CLI Configuration Steps
Command Purpose
Step1 crypto ipsec transform-set transform_name
ESP_Encryption_Type ESP_Authentication_Type
Example:
hostname(config)# crypto ipsec transform-set
my-transform-set esp-des esp-sha-hmac
Creates a transform set with a specific ESP
encryption type and authentication type.
Step2 crypto ipsec transform-set trans_name mode transport
Example:
hostname(config)# crypto ipsec transform-set
my-transform-set mode transport
Instructs IPsec to use transport mode rather
than tunnel mode.
Step3 vpn-tunnel-protocol tunneling_protocol
Example:
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# vpn-tunnel-protocol
l2tp-ipsec
Specifies L2TP/IPsec as the vpn tunneling
protocol.
Step4 dns value [none | IP_primary [IP_secondary]
Example:
hostname(config)# group-policy DfltGrpPolicy attributes
hostname(config-group-policy)# dns value 209.165.201.1
209.165.201.2
(Optional) Instructs the adaptive security
appliance to send DNS server IP addresses
to the client for the group policy.
Step5 wins-server value [none | IP_primary [IP_secondary]]
Example:
hostname(config)# group-policy DfltGrpPolicy attributes
hostname (config-group-policy)# wins-server value
209.165.201.3 209.165.201.4
(Optional) Instructs the adaptive security
appliance to send WINS server IP addresses
to the client for the group policy.
Step6 tunnel-group name type remote-access
Example:
hostname(config)# tunnel-group sales-tunnel type
remote-access
Creates a connection profile (tunnel group).