1-9
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring L2TP over IPsec
Configuring L2TP over IPsec
Configuring L2TP over IPsec
This section provides the required ASA IKEv1 (ISAKMP) policy settings that allow native VPN clients,
integrated with the operating system on an endpoint, to make a VPN connection to the ASA using L2TP
over IPsec protocol.
• IKEv1 phase 1—3DES encryption with SHA1 hash method.
• IPsec phase 2—3DES or AES encryption with MD5 or SHA hash method.
• PPP Authentication—PAP, MS-CHAPv1, or MSCHAPv2 (preferred).
• Pre-shared key (only for iPhone).
Table 1-1 AAA Server Support and PPP Authentication Types
AAA Server Type Supported PPP Authentication Types
LOCAL PAP, MSCHAPv1, MSCHAPv2
RADIUS PAP, CHAP, MSCHAPv1, MSCHAPv2, EAP-Proxy
TACACS+ PAP, CHAP, MSCHAPv1
LDAP PAP
NT PAP
Kerberos PAP
SDI SDI
Table 1-1 PPP Authentication Type Characteristics
Keyword
Authentication
Type Characteristics
chap
CHAP In response to the server challenge, the client returns the encrypted
[challenge plus password] with a cleartext username. This protocol
is more secure than the PAP, but it does not encrypt data.
eap-proxy
EAP Enables EAP which permits the security appliance to proxy the
PPP authentication process to an external RADIUS authentication
server.
ms-chap-v1
ms-chap-v2
Microsoft CHAP,
Ver s io n 1
Microsoft CHAP,
Ver s io n, 2
Similar to CHAP but more secure in that the server stores and
compares only encrypted passwords rather than cleartext
passwords as in CHAP. This protocol also generates a key for data
encryption by MPPE.
pap
PAP Passes cleartext username and password during authentication and
is not secure.
To Next Page
Loading...
Need help?
General
