28-5
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 28 Configuring L2TP over IPSec
Viewing L2TP over IPSec Connection Information
Step 11 Configure the interval (in seconds) between hello messages using the l2tp tunnel hello command in
global configuration mode:
hostname(config)# l2tp tunnel hello seconds
Step 12 (Optional) If you expect multiple L2TP clients behind a NAT device to attempt L2TP over IPSec
connections to the security appliance, you must enable NAT traversal so that ESP packets can pass
through one or more NAT devices.
To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the crypto
isakmp enable command) in global configuration mode and then use the crypto isakmp nat-traversal
command. For example:
hostname(config)# crypto isakmp enable
hostname(config)# crypto isakmp nat-traversal 30
Tunnel Group Switching
Tunnel Group Switching enables the security appliance to associate different users that are establishing
L2TP over IPSec connections with different tunnel groups. Since each tunnel group has its own AAA
server group and IP address pools, users can be authenticated through methods specific to their tunnel
group.
With this feature, instead of sending just a username, the user sends a username and a group name in the
format username@group_name, where “@” represents a delimiter that you can configure, and the group
name is the name of a tunnel group that has been configured on the security appliance.
To enable Tunnel Group Switching, you must enable Strip Group processing using the strip-group
command from tunnel-group general-attributes mode. When enabled, the security appliance selects the
tunnel group for user connections by obtaining the group name from the username presented by the VPN
client. The security appliance then sends only the user part of the username for authorization and
authentication. Otherwise (if disabled), the security appliance sends the entire username, including the
realm. In the following example, Strip Group processing is enabled for the tunnel-group telecommuters:
asa1(config)# tunnel-group telecommuters general-attributes
asa1(config-tunnel-general)# strip-group
Viewing L2TP over IPSec Connection Information
The show vpn-sessiondb command includes protocol filters that you can use to view detailed
information about L2TP over IPSec connections. The full command from global configuration mode is
show vpn-sessoindb detailed remote filter protocol l2tpOverIpsec.
The following example shows the details of a single L2TP over IPSec connection:
hostname# show vpn-sessiondb detail remote filter protocol L2TPOverIPSec
Session Type: Remote Detailed
Username : b_smith
Index : 1
Assigned IP : 90.208.1.200 Public IP : 70.208.1.212
Protocol : L2TPOverIPSec Encryption : 3DES
Hashing : SHA1
Bytes Tx : 418464 Bytes Rx : 424440
Client Type : Client Ver :
Group Policy : DfltGrpPolicy
Tunnel Group : DefaultRAGroup
To Next Page
Loading...
Need help?
General