Hello,
I am trying to set remote access VPN from Windows 7 to ASA 8.4 . Requirement is to use native Windows VPN client, no additional VPN client has to be installed.
Issue is that IKEv1 fails with message like "All proposals unacceptable". Client is behind NAT, UDP IKE packets flow from port 500 to port 500. I suspect Diffie-Hellmann groups mismatch. With wireshark I was able to see IKE proposals sent by Windows 7. They are following:
- AES-256, SHA, Group-Description : 384-bit random ECP group, RSA-SIG, Lifetime 0 seconds
- AES-128, SHA, Group-Description : 256-bit random ECP group, RSA-SIG, Lifetime 0 seconds
- AES-256, SHA, Group-Description : 2048-bit MODP group, RSA-SIG, Lifetime 0 seconds
- 3DES, SHA, Group-Description : 2048-bit MODP group, RSA-SIG, Lifetime 0 seconds
According to RFC 3526 the 2048 MODP group has assigned id 14 - Cisco ASA 8.4 let me configure DH group 1, 2 or 5 only. DH groups with Elliptic Curve Cryptography (ECP groups) are not available on ASA.
Question: How to configure ASA 8.4 IKE or Windows 7 native client so L2TP/IPSec remote access works?
Thanks.
Regards.