ASA Configuration Using CLI
Step 1. Configure IKE Phase 1 policy parameters.
This policy is used to protect control traffic between the peers (that is, it protects pre-shared key and phase 2 negotiations)
ciscoasa(config)#crypto ikev1 policy 10
ciscoasa(config-ikev1-policy)#authentication pre-share
ciscoasa(config-ikev1-policy)#encryption 3des
ciscoasa(config-ikev1-policy)#hash sha
ciscoasa(config-ikev1-policy)#group 2
ciscoasa(config-ikev1-policy)#lifetime 86400
ciscoasa(config-ikev1-policy)#exit Step 2. Configure Transform-set.
It contains IKE Phase 2 policy parameters which are used to protect the data traffic. Since the Windows L2TP/IPsec client uses IPsec transport mode, set the mode to transport. The default is tunnel mode
ciscoasa(config)#crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
ciscoasa(config)#crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transportStep 3. Configure dynamic map.
As windows clients get dynamic IP address fron ISP or local DHCP server (example modem), ASA is not aware about the peer IP address and this poses a problem in the configuration of a static peer on the ASA end. So dynamic crypto configuration has to be approached in which all the parameters are not necessarily defined and the missing parameters are later dynamically learned, as the result of IPSec negotiation from the client.
ciscoasa(config)#crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHAStep 4. Bind dynamic map to static crypto map and apply the crypto map and enable IKEv1 on outside interface
Dynamic crypto map cannot be applied on an interface and so bind it to static crypto map. Dynamic crypto sets should be the lowest priority crypto maps in the crypto map set (that is, they should have the highest sequence numbers) so that the ASA evaluates other crypto maps first. It examines the dynamic crypto map set only when the other (static) map entries do not match.
ciscoasa(config)#crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
ciscoasa(config)#crypto map outside_map interface outside
ciscoasa(config)#crypto ikev1 enable outsideStep 5. Create IP address pool
Create a pool of addresses from which IP addresses are assigned dynamically to the remote *** Clients. Ignore this step to use existing pool on ASA.
ciscoasa(config)#ip local pool Address-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0Step 6. Configure group-policy
Identify the group policy as internal which means the attributes is pulled from local database.
ciscoasa(config)#group-policy L2TP-*** internalNote: L2TP/IPsec connections can be configured with either default group policy (DfltGrpPolicy) or a user-defined group policy. In either case, the group policy must be configured to use the L2TP/IPsec tunneling protocol. configure l2tp-ipsec on the *** protocol attribute on the default group-policy which will get inherited to the user-defined group policy if the ***-protocol attribute is not configured on it.
Configure the attributes such as *** tunnel protocol (in our case, it is l2tp-ipsec), domain name, DNS and WINS server IP address and new user accounts
ciscoasa(config)#group-policy L2TP-*** attributes
ciscoasa(config-group-policy)#dns-server value 8.8.8.8 4.4.4.2
ciscoasa(config-group-policy)#***-tunnel-protocol l2tp-ipsec
ciscoasa(config-group-policy)#default-domain value cisco.comConfigure usernames and passwords on the device in addition to using AAA. If the user is an L2TP client that uses Microsoft CHAP version 1 or version 2, and the ASA is configured to authenticate against the local database, mschap keyword must be included. For example, username <username> password <password> mschap.
ciscoasa(config-group-policy)# username test password test mschap
Step 7. Configure tunnel-group
Create a tunnel group with the tunnel-group command, and specify the local address pool name used to allocate the IP address to the client. If authentication method is pre-shared-key, tunnel group name must be DefaultRAGroup as there is no option on the client to specify the tunnel group and so it lands on default tunnel-group only. Bind the group policy to tunnel-group using the default-group-policy command
ciscoasa(config)#tunnel-group DefaultRAGroup general-attributes
ciscoasa(config-tunnel-general)#address-pool Address-pool
ciscoasa(config-tunnel-general)#default-group-policy L2TP-***
ciscoasa(config-tunnel-general)#exit Note: The default connection profile (tunnel group), DefaultRAGroup has to be configured, if pre-shared key based authentication is performed. If certificate-based authentication is performed, a user-defined connection profile can be chosen based on certificate identifiers
Use the tunnel-group ipsec-attributes command to enter the ipsec-attribute configuration mode in order to set the pre-shared key.
ciscoasa(config)# tunnel-group DefaultRAGroup ipsec-attributes
ciscoasa(config-tunnel-ipsec)# ikev1 pre-shared-key C!sc0@123
ciscoasa(config-tunnel-ipsec)#exit Configure the PPP authentication protocol with the authentication type command from tunnel group ppp-attributes mode. Disable CHAP which is enabled by default as it is not supported if AAA server is configured as local database.
ciscoasa(config)#tunnel-group DefaultRAGroup ppp-attributes
ciscoasa(config-ppp)#no authentication chap
ciscoasa(config-ppp)#authentication ms-chap-v2
ciscoasa(config-ppp)#exit Step 8. Configure NAT-Exemption
Configure NAT-Exemption so that the clients can access internal resources connected to internal interfaces (In this example, internal resources are connected to inside interface).
ciscoasa(config)#object network L2TP-Pool
ciscoasa(config-network-object)#subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)#exit
ciscoasa(config)# nat (inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookupComplete Sample Configuration
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
exit
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS-ESP-3DES-SHA mode transport
crypto dynamic-map outside_dyn_map 10 set ikev1 transform-set TRANS-ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev1 enable outside
ip local pool Address-pool 192.168.1.1-192.168.1.254 mask 255.255.255.0
group-policy L2TP-*** internal
group-policy L2TP-*** attributes
***-tunnel-protocol l2tp-ipsec
default-domain value cisco.com
username test password test mschap
exit
tunnel-group DefaultRAGroup general-attributes
address-pool Address-pool
default-group-policy L2TP-***
exit
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key C!sc0@123
exit
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
exit
object network L2TP-Pool
subnet 192.168.1.0 255.255.255.0
exit
nat(inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
參考鏈接:[請添加鏈接描述](https://www.cisco.com/c/en/us/support/docs/ip/layer-two-tunnel-protocol-l2tp/200340-Configure-L2TP-Over-IPsec-Between-Window.html#anc12)