cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

3389
Views
0
Helpful
1
Replies
Highlighted
Beginner

Windows 7 L2TP vs. Cisco ASA 8.4

Hello,

I am trying to set remote access VPN from Windows 7 to ASA 8.4 . Requirement is to use native Windows VPN client, no additional VPN client has to be installed.

Issue is that IKEv1 fails with message like "All proposals unacceptable". Client is behind NAT, UDP IKE packets flow from port 500 to port 500.  I suspect Diffie-Hellmann groups mismatch. With wireshark I was able to see IKE proposals sent by Windows 7. They are following:

  • AES-256, SHA, Group-Description : 384-bit random ECP group, RSA-SIG, Lifetime 0 seconds
  • AES-128, SHA, Group-Description : 256-bit random ECP group, RSA-SIG, Lifetime 0 seconds
  • AES-256, SHA, Group-Description : 2048-bit MODP group, RSA-SIG, Lifetime 0 seconds
  • 3DES, SHA, Group-Description : 2048-bit MODP group, RSA-SIG, Lifetime 0 seconds

According to RFC 3526 the 2048 MODP group has assigned id 14 - Cisco ASA 8.4 let me configure DH group 1, 2 or 5 only. DH groups with Elliptic Curve Cryptography (ECP groups) are not available on ASA.

Question: How to configure ASA 8.4 IKE or Windows 7 native client so L2TP/IPSec remote access works?

Thanks.

Regards.

Everyone's tags (3)
1 REPLY 1
Beginner

Re: Windows 7 L2TP vs. Cisco ASA 8.4

I will response myself.

Windows 7 sends 5 IKE proposals, not four as I assumed originally. The fifth one is following:

  • 3DES, SHA, Group-Description : Alternate 1024-bit MODP group, RSA-SIG, Lifetime 0 seconds

So on ASA IKE policy with following parameters is needed:

Encryption 3DES, Hash SHA, DH group 2, Authentication RSA-SIG, Lifetime 86400 seconds

and IPSec proposal:

Mode Transport, ESP Encryption AES-128, ESP Authentication SHA.

Regards.