Windows 7 vpn client (windows version)

Unanswered Question
May 6th, 2010

I have an ASA5505 that I have configured properly to work with Windows XP's built in vpn client. I try to get Windows 7 up and running and I continually get an error 789 on the client itself. I also get the following on the ASA:

3May 07 201001:04:53713119Group = DefaultRAGroup, IP = , PHASE 1 COMPLETED

5May 07 201001:04:53713904Group = DefaultRAGroup, IP = , All IPSec SA proposals found unacceptable!
3May 07 201001:04:53713902Group = DefaultRAGroup, IP = , QM FSM error (P2 struct &0x429a740, mess id 0x1)!

3May 07 201001:04:53713902Group = DefaultRAGroup, IP = , Removing peer from correlator table failed, no match!

4May 07 201001:04:53113019Group = DefaultRAGroup, Username = , IP =, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

I was getting the same issue when with the xp client until I removed the PFS on the IPSec rule. I cannot seem to figure this one out...

Thank you very much in advance for everyone's help.

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mopaul Sat, 05/08/2010 - 19:16

Hi Nick,

In the debugs, i see the message "Group = DefaultRAGroup, IP = , All IPSec SA proposals found unacceptable!"

Try using a transport mode transform set for this purpose. Use 3des-sha, if it does not bring in any luck then change the encryption from 3des to aes-128 and try again

crypto ipsec transform-set l2tpsha esp-3des esp-sha-hmac
crypto ipsec transform-set l2tpsha mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set l2tpsha

Other parameters to look into:-

1. Windows Vista L2TP/IPsec introduced some architectural changes that prohibited more than one simultaneous user from being connected to a head-end PIX/ASA. This behavior does not occur on Windows 2K/XP.

For mor details, please refer

Vista PC Not Able to Connect
If the Windows Vista computer is not able to connect the L2TP server, then verify that you have configured ONLY mschap-v2 under the ppp-attributes on
the DefaultRAGroup.

tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

NOTE: As per my knowledge i have any understanding that Windows Vista and Windows 7 got almost same built-in architecture.

2. Are you establishing VPN behind a NAT/PAT device?
If yes, then

    crypto isakmp nat-traversal  3600

3. What code are you running on ASA ?

4. Make sure that "IKE and AuthIP IPsec Keying Modules" and "Ipsec Policy Agent' services are started.

5 While attempting l2tp/ipsec VPN connection, please do gather silmultaneous debugs for "debug l2tp event 1" , debug cry isa 127 and debug cry ipse 127

- For L2TP define new users like this:

   username password mschap

6. If possible, post the new VPN configuration after modifying the old one as suggested above.




This Discussion