(closed) Fail: Windows 7 L2TP/IPSec client and VPN 3000 series concentrator

Will White · ‎07-27-2010

I have an old Cisco 3005 for clients accessing a small office network which has worked fine for a long time. Since it is a very basic system -- nothing fancy just the upper management needing access to some internal resources in a single subnet -- the decision was made to use native Windows VPN client with L2TP over IPSec. New laptops ship with Windows 7 and the users are happy, but.. some of the VPN users have gotten these and complain. The system used to (and still does) work just fine with Windows XP as client but Windows 7 just does not work.

3005 is running 4.7 software. SA settings: IKE-3DES-SHA-DH2, PSK, no PFS, Main mode, Transport. Nothing special IMHO.

Looking at the log from 3005, there is pretty much nothing interesting, seems that the phase 2 is completed but after that "something" happens and Windows 7 decides to terminate the connection instead of starting L2TP:

178 07/27/2010 19:00:38.950 SEV=5 IKE/172 RPT=7 192.0.2.1

Group [VPNC_Base_Group]

Automatic NAT Detection Status:

Remote end IS behind a NAT device

This end is NOT behind a NAT device

182 07/27/2010 19:00:39.050 SEV=4 IKE/119 RPT=7 192.0.2.1

Group [VPNC_Base_Group]

PHASE 1 COMPLETED

183 07/27/2010 19:00:39.170 SEV=5 IKE/25 RPT=5 192.0.2.1

Group [VPNC_Base_Group]

Received remote Proxy Host data in ID Payload:

Address 192.0.2.1, Protocol 17, Port 1701

186 07/27/2010 19:00:39.180 SEV=5 IKE/24 RPT=7 192.0.2.1

Group [VPNC_Base_Group]

Received local Proxy Host data in ID Payload:

Address 192.0.2.99, Protocol 17, Port 1701

189 07/27/2010 19:00:39.180 SEV=5 IKE/66 RPT=5 192.0.2.1

Group [VPNC_Base_Group]

IKE Remote Peer configured for SA: ESP-3DES-SHA-DH2-TRANSPORT

190 07/27/2010 19:00:39.300 SEV=4 IPSEC/7 RPT=1

IPSec ESP Tunnel Inb: invalid direction in security association

191 07/27/2010 19:00:39.310 SEV=4 IKE/173 RPT=5 192.0.2.1

Group [VPNC_Base_Group]

NAT-Traversal successfully negotiated!

IPSec traffic will be encapsulated to pass through NAT devices.

194 07/27/2010 19:00:39.310 SEV=4 IKE/49 RPT=5 192.0.2.1

Group [VPNC_Base_Group]

Security negotiation complete for User ()

Responder, Inbound SPI = 0x16aa8f52, Outbound SPI = 0x3c8c1889

197 07/27/2010 19:00:39.320 SEV=4 IKE/120 RPT=5 192.0.2.1

Group [VPNC_Base_Group]

PHASE 2 COMPLETED (msgid=00000001)

198 07/27/2010 19:01:17.290 SEV=5 IKE/50 RPT=1 192.0.2.1

Group [VPNC_Base_Group]

Connection terminated for peer .

Reason: Peer Terminate

Remote Proxy 192.0.2.1, Local Proxy 192.0.2.99

Usually after message #197 L2TP session starts. But in this case it looks like L2TP is not working.

192.0.2.1 is the client, 192.0.2.99 is the VPN concentrator.

Message was edited by: Will White: change subject to closed, will never work

Will White · ‎07-27-2010

I do not know what exactly happened, I believe I changed nothing, but now I have few more errors in 3005 log.

Phase 2 completes and after that error with L2TP:

527 07/27/2010 19:44:12.810 SEV=4 IKE/120 RPT=15 192.0.2.1

Group [VPNC_Base_Group]

PHASE 2 COMPLETED (msgid=00000001)

528 07/27/2010 19:44:12.940 SEV=4 L2TP/57 RPT=14

Tunnel to peer 192.0.2.1 established

529 07/27/2010 19:44:12.940 SEV=4 L2TP/5 RPT=11 192.0.2.1

Received Result Code AVP which is invalid for message Incoming-Call-Request (ip

= 192.0.2.1)

531 07/27/2010 19:44:12.940 SEV=4 L2TP/47 RPT=14 192.0.2.1

Session closed on tunnel 192.0.2.1 (peer 1, local 28835, serial 0), reason:

533 07/27/2010 19:44:24.900 SEV=5 L2TP/25 RPT=9 192.0.2.1

Received ctrl message type 14 (Call-Disconnect-Notify) from 192.0.2.1 but s

ession not started

535 07/27/2010 19:44:25.030 SEV=4 L2TP/46 RPT=14 192.0.2.1

Tunnel to peer 192.0.2.1 closed, reason: L2TP peer terminated connection

Googling for the error in message #529 produces exactly one result, where numerous people complain about this, starting with Windows Vista SP1. The solutions proposed seem to be for a different problem: I do not get "device not found" error on the client Windows 7.

Edit:

This looks like the culprit:

http://nwsmith.blogspot.com/2008/03/vista-sp1-crashes-linux-l2tp-daemon.html

"For Windows XP clients, we see the following AVP's (Attribute Value pair):

'Control Message', 'Assigned Session', 'Call Serial Number' and 'Bearer Type'.

For the Windows Vista SP1 client, there was an extra AVP tagged onto the end. This is a 'Vendor-Specific' AVP of 'Type 1', specifying a 'Vendor ID' of 311 (0x0137), meaning 'Microsoft'.

So what is this extra Microsoft AVP? A quick google finds a

Cisco document, implying it may be a related to RADIUS. It talks about Vendor-Specific Attributes (VSAs). Table 36 lists Vendor-Specific RADIUS IETF Attributes with Vendor company code 311 and Sub-type 1 which is a "MSCHAP-Response" attribute.

Ok, so it seems the version of l2tpd we are using does not like the presence of this extra AVP, and mistakes it for a 'Result Code' AVP, which should only be present in CDN and StopCCN messages.

The relavent RFC is:

RFC2261 - "Layer Two Tunneling Protocol".

Looking at the top of page 50 of the RFC, for an ICRQ, it lists the AVPs that MUST be present, and the AVPs that MAY be present. This would seem to indicate that a vendor specific AVP is NOT valid at this stage."

So to put it short, starting with Vista SP1 Microsoft has decided to add an AVP to Incoming-Call-Request (ICRQ) message which is not specified as permitted by the L2TP RFC. The 3005 then detects this as error condition and boots the connection.

4.7.2 software release notes state that this will never work:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/Release_Notes/472con3k.html#wp211867

"Due to architectural changes in Windows Vista L2TP/IPsec support, compatibility is not available for VPN 3000 Series Concentrators. The Embedded L2TP/IPSec VPN Client for Windows Vista does not establish a connection to the VPN 3000 Concentrator. Customers must upgrade to the Cisco ASA 5500 Security Appliance to use this function (CSCsm16075)."

Case closed.

Message was edited by: Will White