Welcome to Brendon Davis

ISA 2006 to CISCO L2TP/ IPSec VPN Configuration

Autor brendon

Would you believe, not one web site (indexed by Google) has a simple configuration for ISA to CISCO Site-to-Site VPN using Pre-shared sectets over L2TP/ IPSec. So for anyone that finds this useful, the following configuration should set you right with both the ASA and Routers. :-)

This diagram shows the example IP address configuration for the sites.

Using the ISA Site-to-Site VPN Wizard, create a site using the default values. When prompted for the VPN tunnel endpoint, be sure to enter the Outside address of the Router.

The ISA Server configuration should be:

————————————————————
Local Tunnel Endpoint: 1.1.1.1
Remote Tunnel Endpoint: 2.2.2.2

IKE Phase I Parameters:
    Mode: Main mode
    Encryption: 3DES
    Integrity: SHA1
    Diffie-Hellman group: Group 2 (1024 bit)
    Authentication method: Pre-shared secret (demosecret)
    Security Association lifetime: 28800 seconds

IKE Phase II Parameters:
    Mode: ESP tunnel mode
    Encryption: 3DES
    Integrity: SHA1
    Perfect Forward Secrecy: ON
    Diffie-Hellman group: Group 2 (1024 bit)
    Time rekeying: ON
    Security Association lifetime: 3600 seconds
    Kbyte rekeying: OFF

Remote Network ‘LSE_VPN’ IP Subnets:
    Subnet: 192.168.0.0/255.255.255.0

Local Network ‘Internal’ IP Subnets:
    Subnet: 10.0.0.0/255.255.255.0
————————————————————

The necessary CISCO Router configuration should be:

————————————————————
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key demosecret address 1.1.1.1 no-xauth
!
crypto ipsec transform-set ISA_2006 esp-3des esp-sha-hmac
!
crypto map Head_Office 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set ISA_2006
 set pfs group2
 match address 102
 reverse-route
!
interface (inside)
ip address 192.168.0.1 255.255.255.0
ip nat inside
!
interface (outside)
ip address 2.2.2.2 255.255.255.0
ip nat outside
crypto map Head_Office
!
ip nat inside source route-map nonat interface Dialer0 overload
!
access-list 101 remark Permit_Outbound_NAT
access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Forward_Through_VPN
access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
!
route-map nonat permit 10
 match ip address 101
————————————————————

The CISCO ASA Device configuration should be:

————————————————————
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 2.2.2.2 255.255.255.0
!
access-list In_to_out extended permit ip 192.168.0.0 255.255.255.0 any
access-list outside_20_cryptomap extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
!
global (outside) 1 interface
access-group In_to_out in interface inside
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 20 set pfs
crypto map outside_map0 20 match address outside_20_cryptomap
crypto map outside_map0 20 set pfs
crypto map outside_map0 20 set peer 1.1.1.1
crypto map outside_map0 20 set transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key demosecret
————————————————————

For more information on the PIX/ Router/ ASA VPN configurations, have a look at PIX to Router, Router to Router or List of Configuration Examples.