Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2790
Views
0
Helpful
1
Replies

Windows 7 vpn client (windows version)

ncarlson42
Level 1
Level 1

‎05-06-2010 11:12 PM

I have an ASA5505 that I have configured properly to work with Windows XP's built in vpn client. I try to get Windows 7 up and running and I continually get an error 789 on the client itself. I also get the following on the ASA:

3May 07 201001:04:53713119Group = DefaultRAGroup, IP = , PHASE 1 COMPLETED

5May 07 201001:04:53713904Group = DefaultRAGroup, IP = , All IPSec SA proposals found unacceptable!
3May 07 201001:04:53713902Group = DefaultRAGroup, IP = , QM FSM error (P2 struct &0x429a740, mess id 0x1)!

3May 07 201001:04:53713902Group = DefaultRAGroup, IP = , Removing peer from correlator table failed, no match!

4May 07 201001:04:53113019Group = DefaultRAGroup, Username = , IP =, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

I was getting the same issue when with the xp client until I removed the PFS on the IPSec rule. I cannot seem to figure this one out...


Thank you very much in advance for everyone's help.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

mopaul
Cisco Employee
Cisco Employee

‎05-08-2010 07:16 PM

Hi Nick,

In the debugs, i see the message "Group = DefaultRAGroup, IP = , All IPSec SA proposals found unacceptable!"

Try using a transport mode transform set for this purpose. Use 3des-sha, if it does not bring in any luck then change the encryption from 3des to aes-128 and try again

---8<--------------------------------------------------------------------------
crypto ipsec transform-set l2tpsha esp-3des esp-sha-hmac
crypto ipsec transform-set l2tpsha mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set l2tpsha
---8<--------------------------------------------------------------------------


Other parameters to look into:-

1. Windows Vista L2TP/IPsec introduced some architectural changes that prohibited more than one simultaneous user from being connected to a head-end PIX/ASA. This behavior does not occur on Windows 2K/XP.

For mor details, please refer

http://support.microsoft.com/kb/942429

Vista PC Not Able to Connect
If the Windows Vista computer is not able to connect the L2TP server, then verify that you have configured ONLY mschap-v2 under the ppp-attributes on
the DefaultRAGroup.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#vist


tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

NOTE: As per my knowledge i have any understanding that Windows Vista and Windows 7 got almost same built-in architecture.

2. Are you establishing VPN behind a NAT/PAT device?
If yes, then

---8<----------------------------------------------------------------
    crypto isakmp nat-traversal  3600
---8<----------------------------------------------------------------

3. What code are you running on ASA ?

4. Make sure that "IKE and AuthIP IPsec Keying Modules" and "Ipsec Policy Agent' services are started.

5 While attempting l2tp/ipsec VPN connection, please do gather silmultaneous debugs for "debug l2tp event 1" , debug cry isa 127 and debug cry ipse 127

- For L2TP define new users like this:

   ---8<----------------------------------------------------------------
   username password mschap
   ---8<----------------------------------------------------------------

6. If possible, post the new VPN configuration after modifying the old one as suggested above.

HTH...

Regards,
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful
Customers Also Viewed These Support Documents