L2TP over IPsec

Table 1. AAA Server Support and PPP Authentication Types

CLI Book 3: Cisco Secure Firewall ASA Series VPN CLI Configuration Guide, 9.19

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents
Book Contents

  • About This Guide
  • IPsec and ISAKMP
  • L2TP over IPsec
  • High Availability Options
  • General VPN Parameters
  • Connection Profiles, Group Policies, and Users
  • IP Addresses for VPNs
  • Remote Access IPsec VPNs
  • LAN-to-LAN IPsec VPNs
  • AnyConnect VPN Client Connections
  • Secure Client HostScan
  • Virtual Tunnel Interface
  • Configure an External AAA Server for VPN

Find Matches in This Book
Log in to Save Content
Available Languages
Download Options

Book Title

CLI Book 3: Cisco Secure Firewall ASA Series VPN CLI Configuration Guide, 9.19

L2TP over IPsec

  • PDF – Complete Book (6.28 MB)PDF – This Chapter (1.17 MB) View with Adobe Reader on a variety of devices


Updated: November 29, 2022

Chapter: L2TP over IPsec

Chapter Contents

  • L2TP over IPsec
  • About L2TP over IPsec/IKEv1 VPN
    • IPsec Transport and Tunnel Modes
    • Creating IKE Policies to Respond to Windows 7 Proposals
    • Configuration Example for L2TP over IPsec

    L2TP over IPsec

    This chapter describes how to configure L2TP over IPsec/IKEv1 on the ASA.

    About L2TP over IPsec/IKEv1 VPN

    Layer 2 Tunneling Protocol (L2TP) is a VPN tunneling protocol that allows remote clients to use the public IP network to securely communicate with private corporate network servers. L2TP uses PPP over UDP (port 1701) to tunnel the data.

    L2TP protocol is based on the client/server model. The function is divided between the L2TP Network Server (LNS), and the L2TP Access Concentrator (LAC). The LNS typically runs on a network gateway such as a router, while the LAC can be a dial-up Network Access Server (NAS) or an endpoint device with a bundled L2TP client such as Microsoft Windows, Apple iPhone, or Android.

    The primary benefit of configuring L2TP with IPsec/IKEv1 in a remote access scenario is that remote users can access a VPN over a public IP network without a gateway or a dedicated line, which enables remote access from virtually anyplace with POTS. An additional benefit is that no additional client software, such as Cisco VPN client software, is required.

    L2TP over IPsec supports only IKEv1. IKEv2 is not supported.

    The configuration of L2TP with IPsec/IKEv1 supports certificates using the preshared keys or RSA signature methods, and the use of dynamic (as opposed to static) crypto maps. This summary of tasks assumes completion of IKEv1, as well as pre-shared keys or RSA signature configuration. See Chapter 41, “Digital Certificates,” in the general operations configuration guide for the steps to configure preshared keys, RSA, and dynamic crypto maps.

    L2TP with IPsec on the ASA allows the LNS to interoperate with native VPN clients integrated in such operating systems as Windows, MAC OS X, Android, and Cisco IOS. Only L2TP with IPsec is supported, native L2TP itself is not supported on ASA. The minimum IPsec security association lifetime supported by the Windows client is 300 seconds. If the lifetime on the ASA is set to less than 300 seconds, the Windows client ignores it and replaces it with a 300 second lifetime.

    IPsec Transport and Tunnel Modes

    By default, the ASA uses IPsec tunnel mode—the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to receive the benefits of IPsec. Tunnel mode also protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

    However, the Windows L2TP/IPsec client uses IPsec transport mode—only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination of the packet. The following figure illustrates the differences between IPsec tunnel and transport modes.

    In order for Windows L2TP and IPsec clients to connect to the ASA, you must configure IPsec transport mode for a transform set using the crypto ipsec transform-set trans_name mode transport command. This command is used in the configuration procedure .

    ASA cannot push more than 28 ACE in split-tunnel access-list.

    With this transport capability, you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header is encrypted, which limits the examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport mode allows an attacker to perform some traffic analysis.

    Licensing Requirements for L2TP over IPsec

    This feature is not available on No Payload Encryption models.

    IPsec remote access VPN using IKEv2 requires an AnyConnect Plus or Apex license, available separately. IPsec remote access VPN using IKEv1 and IPsec site-to-site VPN using IKEv1 or IKEv2 uses the Other VPN license that comes with the Essentials license. See Cisco ASA Series Feature Licenses for maximum values per model.

    Prerequisites for Configuring L2TP over IPsec

    Configuring L2TP over IPsec has the following prerequisites:

    • Group Policy-You can configure the default group policy (DfltGrpPolicy) or a user-defined group policy for L2TP/IPsec connections. In either case, the group policy must be configured to use the L2TP/IPsec tunneling protocol. If the L2TP/IPsec tunning protocol is not configured for your user-defined group policy, configure the DfltGrpPolicy for the L2TP/IPsec tunning protocol and allow your user-defined group policy to inherit this attribute.
    • Connection Profile-You need to configure the default connection proflie (tunnel group), DefaultRAGroup, if you are performing “pre-shared key” authentication. If you are performing certificate-based authentication, you can use a user-defined connection profile that can be chosen based on certificate identifiers.
    • IP connectivity needs to be established between the peers. To test connectivity, try to ping the IP address of the ASA from your endpoint and try to ping the IP address of your endpoint from the ASA.
    • Make sure that UDP port 1701 is not blocked anywhere along the path of the connection.
    • If a Windows 7 endpoint device authenticates using a certificate that specifies a SHA signature type, the signature type must match that of the ASA, either SHA1 or SHA2.

    Guidelines and Limitations

    This section includes the guidelines and limitations for this feature.

    Context Mode Guidelines

    Supported in single context mode.

    Firewall Mode Guidelines

    Supported only in routed firewall mode. Transparent mode is not supported.

    Failover Guidelines

    L2TP over IPsec sessions are not supported by stateful failover.

    IPv6 Guidelines

    There is no native IPv6 tunnel setup support for L2TP over IPsec.

    Software Limitation on All Platforms

    We currently only support 4096 L2TP over IPsec tunnels.

    Authentication Guidelines

    The ASA only supports the PPP authentications PAP and Microsoft CHAP, Versions 1 and 2, on the local database. EAP and CHAP are performed by proxy authentication servers. Therefore, if a remote user belongs to a tunnel group configured with the authentication eap-proxy or authentication chap commands, and the ASA is configured to use the local database, that user will not be able to connect.

    Supported PPP Authentication Types

    L2TP over IPsec connections on the ASA support only the PPP authentication types as shown:

    Table 1. AAA Server Support and PPP Authentication Types

    AAA Server Type

    Supported PPP Authentication Types



    L2TP over IPsec

    L2TP, short for Layer Two (2) Tunneling Protocol , is a data link layer (layer 2 of the OSI Open Source Initiative model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet), better known as VPN Virtual Private Network s. Because of the lack of confidentiality inherent in the L2TP protocol, it is often combined with IPsec Internet Protocol Security , which provides confidentiality, authentication, and integrity. The combination of these two protocols is also known as L2TP over IPsec. L2TP over IPsec allows you, while providing the same functions as PPTP, to give individual hosts access to your network through an encrypted IPsec tunnel.