05-11-2010 12:55 AM
We have a working configuration for L2TP-IPSec connection from a native Windows XP client to the ASA 5510. When trying to set up a connection from a Windows 7 client, the connection fails with the message that all SA proposals are unacceptable
Is this coexistence possible, and what parameters would I have to change to get this working. I have understood that the Windows 7 client requires som higher security proposals, but have not found what these are. And at the sam time we are concerned about not destroying the VPN connection for our existing XP clients.
Any help would be appreciated.
Thanx in advance
05-11-2010 03:22 AM
Can you please share what is currently configured?
The following show output would be great:
show run crypto map
show run crypto ipsec
05-11-2010 07:09 AM
Its true, Windows 7 require higher encryptions, you might be seeing error 789 on windows client, please share the following outputs :-
sho run cry dyn
sh run | in trans
Regards,
Mohit
05-11-2010 11:19 PM
Here are the output of the show commands (output indented)
show run crypto ipsec
crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
show run crypto
crypto map DMZ_map 20 ipsec-isakmp dynamic DMZ_dyn_map
crypto map DMZ_map interface DMZ
show run cry dyn
crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA
crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map DMZ_dyn_map 20 set reverse-route
sh run | in trans
crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA
05-18-2010 12:09 AM
Haven't gotten any replies on this. Anyone have any suggestions. Pleeease !
05-19-2010 03:50 AM
Looks like the ipsec (phase 2) transform sets are ok (including 3DES+SHA); but is it phase2 that is failing, or rather phase 1?
Do you have an isakmp policy that includes 3des and SHA ?
02-08-2011 10:35 AM
Good evening, gents!
Got the same problem, XP connect fine, but 7 fails. Any suggestions?
02-08-2011 02:58 PM
I had simular issues and I installed this fix:
http://support.microsoft.com/kb/980399/en-us
Seemed to work, dont forget to re-boot after you install this. There are also issues with an L2TP connection "hanging" and not allowing a re-connect for a while.
02-08-2011 11:22 PM
I found another solution, for Win 7 clients, transform-set on ASA must include hmac, not md5, since Win 7 does not support md5 anymore
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide