Windows 7 L2TP connection to ASA 5510 defaulting to "DefaultL2Lgroup"

Endorsed Question

I have a couple users in my environment who have x64 Windows 7 computers and would like to use the VPN. The Cisco ISPEC VPN client doesn't support x64 and I haven't been able to convince management to shell out the cash for the ANYconnect SSL licenses so I'm stuck with L2TP.


My problem is that when my Windows 7 client connects it uses the "DefaultL2Lgroup" group policy.

ERROR: "713903 Group = DefaultL2LGroup, IP = x.x.x.x, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting"


There's no option in the Windows VPN configuration to select a group and I've been up and down the Cisco configs and nothing seems to change this behavior.


I suppose I could just let it use the "DefaultL2Lgroup" but dangit I want it to work the way I want it too, not the other way around.


That said I'd like it to use the group of my choice but I'd settle for it to default to the "DefaultRAGroup".


Any ideas?

Cisco Endorsed by rvarelac

Hi -


Well, after spending a considerable amount of time on this problem, I have finally solved the puzzle!


First things first, however.  Did you know that Cisco has created the "AnyConnect Essentials" license for ASA code 8.2?  This license gives you the ability to run AnyConnect (which is supported on Win 7 and even 64-bit versions of Windows) without purchasing any expensive WebVPN licenses.  This licesnse is one flat price (very reasonable, too) and allows unlimited connections to the box (limited only by horsepower).  The ASA can also deliver the software to the client using Java or ActiveX, so there is no need to stage the software on the client before-hand.  Also, I was not able to get an L2TP connection to do split tunneling, whereas AnyConnect can.  See the below link for details about the license.


http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp115462


Now, on with the show.  To get L2TP working, I decided to take a step backward and start from the beginning.  I followed the document below to setup a working L2TP VPN from a computer running XP.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml


However, in the document where it shows the screenshots of the Windows computer, you actually want to check the CHAPv2 box and uncheck the CHAPv1 box.  While CAHPv1 works, CHAPv2 is more secure than version 1.  If you running an external radius server, it may even require version 2.  Also, take note that the computer is set to "Require encryption".  Changing this setting changes the proposals that the computer offers during phase 2 negotiation.


After I got this working, I took the next step and tried to connect a Vista computer.  This failed.  I then captured the output of a "debug crypto isakmp 255" on both connections and compared them.  I saw that Vista offers different proposals than XP did.  So, I changed my ASA config to allow one of the new proposals.  Then, the Vista computer worked.


Finally, I connected the Windows 7 computer.  Magically, it worked!  I captured the debug output and saw that Windows 7 offers the same proposals that Vista offered.  Thus, it worked after I fixed Vista.


Then, I wanted to know what the difference was between "Require encryption" and "Maximum strength encryption" was.  So, I set all three of my test computers to "max strength" and captured the debug output.  I have assembled my findings and attached them to this post.


So, my ASA configuration ended up looking like this:


crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto ipsec transform-set 3desmd5 mode transport

crypto ipsec transform-set aes128sha esp-aes esp-sha-hmac

crypto ipsec transform-set aes128sha mode transport

crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac

crypto ipsec transform-set aes256sha mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map out_dyn_map 10 set transform-set 3desmd5 aes128sha aes256sha

crypto map outside_map 65000 ipsec-isakmp dynamic out_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

  authentication pre-share

  encryption 3des

  hash md5

  group 2

  lifetime 86400

crypto isakmp policy 65535

  authentication pre-share

  encryption 3des

  hash sha

  group 2

  lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

  dns-server value 192.168.1.4

  vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

  address-pool vpnpool

  default-group-policy DefaultRAGroup

  authentication-server-group LOCAL   ! this is a default command and is normally hidden

tunnel-group DefaultRAGroup ipsec-attributes

  pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

  no authentication chap

  authentication ms-chap-v2


For phase 1, when a Windows XP computer connects, the ASA assigns isakmp policy 10 to the connection, while the ASA assigns isakmp policy 65535 to the Vista and Win7 connections.  Note that I created policy 10 per the Cisco instructions above.  I actually do not need policy 10 because XP also offers 3des-sha1 as a phase 1 proposal.  (See attached PDF for proposals.)


For phase 2, when Windows runs in "Require encryption" mode, the "3desmd5" transform set is used for XP, while the "aes128sha" transform is used for Vista and Win 7.  However, when you crank up the Windows encryption to use "Maximum strength encryption", then the "3desmd5" transform set is still used for XP, while the "aes256sha" transform is used for Vista and Windows 7.


When creating your connection in Windows 7, be sure to find the following options and change them:

-set "include windows logon domain" to unchecked unless you're using a back-end radius server which needs it

-set "type of vpn" to "L2TP".  Then, click "advanced", choose "preshared key", and enter your key.

-set "CHAP" to unchecked, but leave "CHAPv2" still checked.


Three final notes:


First, if you're using local username authentication on the ASA, you need to add the "mschap" keyword to the end of the username.  This causes the ASA to store the password differently in the memory.


Second, Microsoft has alleged that the ASA is not compatible with simultaneous L2TP connections from newer verions of Windows (both Vista and Windows 7).  The below document outlines why.  I, however, did not run into this problem.  I am running ASA 8.2(2) and was able to connecte multiple computers without issue.  Perhaps this was only a problem in older ASA code.


http://support.microsoft.com/kb/942429


Third, this post does not take into account any of the NAT configurations of the ASA.  You will need to perform the usual NAT exemptions to make your tunnel work after you're done configuring all of this.  Also, the L2TP tunnel will be a full tunnel, not a split tunnel.  Since you will be hairpinning all client traffic to the internet, you will need to provide NAT for that, as well.  Oh, and the same-security-traffic command will be needed for hairpinning, too.


I hope this information helps many people, as I know that I have not seen any good information on the internet about this configuration.


Jeff

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.

Hello -


Did you ever discover how to make Windows 7 connect to an ASA using L2TP?


I've been pouring over this for a couple weeks now and I haven't made any breakthroughs.  However, I do believe that the ASA does terminate the L2TP tunnels on the DefaultRAGroup tunnel group first.  It's only after the pre-shared keys do not match (or you don't have one configured on the tunnel group) that it then tries the DefaultL2LGroup tunnel group.


Jeff

I got frustrated with it and found a third party Cisco-compatibile IPSEC VPN client to use for my x64 systems instead of L2TP.


However, I still need to figure out the L2TP problem and get it working; one of the vendors I work with can't use the IPSEC client with their coporate firewall.  Also, it's a matter of pride.


I'll check out the pre-shared keys on the DefaultRAgroup profile and post-back with the results.

Hi -


Well, after spending a considerable amount of time on this problem, I have finally solved the puzzle!


First things first, however.  Did you know that Cisco has created the "AnyConnect Essentials" license for ASA code 8.2?  This license gives you the ability to run AnyConnect (which is supported on Win 7 and even 64-bit versions of Windows) without purchasing any expensive WebVPN licenses.  This licesnse is one flat price (very reasonable, too) and allows unlimited connections to the box (limited only by horsepower).  The ASA can also deliver the software to the client using Java or ActiveX, so there is no need to stage the software on the client before-hand.  Also, I was not able to get an L2TP connection to do split tunneling, whereas AnyConnect can.  See the below link for details about the license.


http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp115462


Now, on with the show.  To get L2TP working, I decided to take a step backward and start from the beginning.  I followed the document below to setup a working L2TP VPN from a computer running XP.


http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml


However, in the document where it shows the screenshots of the Windows computer, you actually want to check the CHAPv2 box and uncheck the CHAPv1 box.  While CAHPv1 works, CHAPv2 is more secure than version 1.  If you running an external radius server, it may even require version 2.  Also, take note that the computer is set to "Require encryption".  Changing this setting changes the proposals that the computer offers during phase 2 negotiation.


After I got this working, I took the next step and tried to connect a Vista computer.  This failed.  I then captured the output of a "debug crypto isakmp 255" on both connections and compared them.  I saw that Vista offers different proposals than XP did.  So, I changed my ASA config to allow one of the new proposals.  Then, the Vista computer worked.


Finally, I connected the Windows 7 computer.  Magically, it worked!  I captured the debug output and saw that Windows 7 offers the same proposals that Vista offered.  Thus, it worked after I fixed Vista.


Then, I wanted to know what the difference was between "Require encryption" and "Maximum strength encryption" was.  So, I set all three of my test computers to "max strength" and captured the debug output.  I have assembled my findings and attached them to this post.


So, my ASA configuration ended up looking like this:


crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto ipsec transform-set 3desmd5 mode transport

crypto ipsec transform-set aes128sha esp-aes esp-sha-hmac

crypto ipsec transform-set aes128sha mode transport

crypto ipsec transform-set aes256sha esp-aes-256 esp-sha-hmac

crypto ipsec transform-set aes256sha mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map out_dyn_map 10 set transform-set 3desmd5 aes128sha aes256sha

crypto map outside_map 65000 ipsec-isakmp dynamic out_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

  authentication pre-share

  encryption 3des

  hash md5

  group 2

  lifetime 86400

crypto isakmp policy 65535

  authentication pre-share

  encryption 3des

  hash sha

  group 2

  lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

  dns-server value 192.168.1.4

  vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

  address-pool vpnpool

  default-group-policy DefaultRAGroup

  authentication-server-group LOCAL   ! this is a default command and is normally hidden

tunnel-group DefaultRAGroup ipsec-attributes

  pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

  no authentication chap

  authentication ms-chap-v2


For phase 1, when a Windows XP computer connects, the ASA assigns isakmp policy 10 to the connection, while the ASA assigns isakmp policy 65535 to the Vista and Win7 connections.  Note that I created policy 10 per the Cisco instructions above.  I actually do not need policy 10 because XP also offers 3des-sha1 as a phase 1 proposal.  (See attached PDF for proposals.)


For phase 2, when Windows runs in "Require encryption" mode, the "3desmd5" transform set is used for XP, while the "aes128sha" transform is used for Vista and Win 7.  However, when you crank up the Windows encryption to use "Maximum strength encryption", then the "3desmd5" transform set is still used for XP, while the "aes256sha" transform is used for Vista and Windows 7.


When creating your connection in Windows 7, be sure to find the following options and change them:

-set "include windows logon domain" to unchecked unless you're using a back-end radius server which needs it

-set "type of vpn" to "L2TP".  Then, click "advanced", choose "preshared key", and enter your key.

-set "CHAP" to unchecked, but leave "CHAPv2" still checked.


Three final notes:


First, if you're using local username authentication on the ASA, you need to add the "mschap" keyword to the end of the username.  This causes the ASA to store the password differently in the memory.


Second, Microsoft has alleged that the ASA is not compatible with simultaneous L2TP connections from newer verions of Windows (both Vista and Windows 7).  The below document outlines why.  I, however, did not run into this problem.  I am running ASA 8.2(2) and was able to connecte multiple computers without issue.  Perhaps this was only a problem in older ASA code.


http://support.microsoft.com/kb/942429


Third, this post does not take into account any of the NAT configurations of the ASA.  You will need to perform the usual NAT exemptions to make your tunnel work after you're done configuring all of this.  Also, the L2TP tunnel will be a full tunnel, not a split tunnel.  Since you will be hairpinning all client traffic to the internet, you will need to provide NAT for that, as well.  Oh, and the same-security-traffic command will be needed for hairpinning, too.


I hope this information helps many people, as I know that I have not seen any good information on the internet about this configuration.


Jeff

amdekus Thu, 11/18/2010 - 21:24

Thanks all.


Succeed L2TP connection to  PIX 525 today.


win7, ipad, iphone, XP.


Ver 8.0.




For ipad,iphone:


crypto ipsec transform-set 3des esp-3des esp-none



crypto dynamic-map out_dyn_map 10 set transform-set 3desmd5 aes128sha aes256sha 3des

Ints Meijers Sun, 01/27/2013 - 09:39

I ran into the same situation. This is my first ASA deployment so there are many new concepts to grasp.


L2TP was one of them. I found answer to your question in documentation today:


http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/vpn_l2tp_ipsec.html#wp1094289


Configuring L2TP over IPsec has the following prerequisites:

You need to configure the default connection proflie (tunnel group), DefaultRAGroup, if you are performing "pre-shared key" authentication. If you are performing certificate-based authentication, you can use a user-defined connection profile that can be chosen based on certificate identifiers.


So this behavior was by design and has nothing to do with any other configuration.

Actions

This Discussion