65-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter65 Configuring L2TP over IPsec
Configuring L2TP over IPsec
Step14 l2tp tunnel hello seconds
Example:
hostname(config)# l2tp tunnel hello 100
Configures the interval (in seconds)
between hello messages. The range is 10
through 300 seconds. The default is 60
seconds.
Step15 crypto isakmp nat-traversal seconds
Example:
hostname(config)# crypto isakmp enable
hostname(config)# crypto isakmp nat-traversal 1500
(Optional) Enables NAT traversal so that
ESP packets can pass through one or more
NAT devices.
If you expect multiple L2TP clients behind
a NAT device to attempt L2TP over IPsec
connections to the adaptive security
appliance, you must enable NAT traversal.
To enable NAT traversal globally, check that
ISAKMP is enabled (you can enable it with
the crypto isakmp enable command) in
global configuration mode, and then use the
crypto isakmp nat-traversal command.
Step16 strip-group
strip-realm
Example:
hostname(config)# tunnel-group DefaultRAGroup
general-attributes
hostname(config-tunnel-general)# strip-group
hostname(config-tunnel-general)# strip-realm
(Optional) Configures tunnel group
switching. The goal of tunnel group
switching is to give users a better chance at
establishing a VPN connection when they
authenticate using a proxy authentication
server. Tunnel group is synonymous with
connection profile.
Step17 username name password password mschap
Example:
hostname(config)# username jdoe password j!doe1 mschap
This example shows creating a user with the
username jdoe, the password j!doe1. The
mschap option specifies that the password is
converted to Unicode and hashed using
MD4 after you enter it.
This step is needed only if you are using a
local user database.
Step18 crypto isakmp policy priority
Example:
hostname(config)# crypto isakmp policy 5
The crypto isakmp policy command creates
the IKE Policy for Phsase 1 and assigns it a
number. There are several different
configurable parameters of the IKE policy
that you can configure.
The isakamp policy is needed so the ASA
can complete the IKE negotiation.
See the “Creating IKE Policies to Respond
to Windows 7 Proposals” section on
page 65-12 for configuration examples for
Windows 7 native VPN clients.
Command Purpose