Windows 7 L2TP vs. Cisco ASA 8.4

chrastina · ‎10-23-2011

Hello,

I am trying to set remote access VPN from Windows 7 to ASA 8.4 . Requirement is to use native Windows VPN client, no additional VPN client has to be installed.

Issue is that IKEv1 fails with message like "All proposals unacceptable". Client is behind NAT, UDP IKE packets flow from port 500 to port 500. I suspect Diffie-Hellmann groups mismatch. With wireshark I was able to see IKE proposals sent by Windows 7. They are following:

AES-256, SHA, Group-Description : 384-bit random ECP group, RSA-SIG, Lifetime 0 seconds
AES-128, SHA, Group-Description : 256-bit random ECP group, RSA-SIG, Lifetime 0 seconds
AES-256, SHA, Group-Description : 2048-bit MODP group, RSA-SIG, Lifetime 0 seconds
3DES, SHA, Group-Description : 2048-bit MODP group, RSA-SIG, Lifetime 0 seconds

According to RFC 3526 the 2048 MODP group has assigned id 14 - Cisco ASA 8.4 let me configure DH group 1, 2 or 5 only. DH groups with Elliptic Curve Cryptography (ECP groups) are not available on ASA.

Question: How to configure ASA 8.4 IKE or Windows 7 native client so L2TP/IPSec remote access works?

Thanks.

Regards.

chrastina · ‎10-27-2011

I will response myself.

Windows 7 sends 5 IKE proposals, not four as I assumed originally. The fifth one is following:

3DES, SHA, Group-Description : Alternate 1024-bit MODP group, RSA-SIG, Lifetime 0 seconds

So on ASA IKE policy with following parameters is needed:

Encryption 3DES, Hash SHA, DH group 2, Authentication RSA-SIG, Lifetime 86400 seconds

and IPSec proposal:

Mode Transport, ESP Encryption AES-128, ESP Authentication SHA.

Regards.