ASA 5510 with Windows XP and Win7 VPN clients

Unanswered Question
May 11th, 2010

We have a working configuration for L2TP-IPSec connection from a native Windows XP client to the ASA 5510. When trying to set up a connection from a Windows 7 client, the connection fails with the message that all SA proposals are unacceptable

Is this coexistence possible, and what parameters would I have to change to get this working. I have understood that the Windows 7 client requires som higher security proposals, but have not found what these are. And at the sam time we are concerned about not destroying the VPN connection for our existing XP clients.

Any help would be appreciated.

Thanx in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 05/11/2010 - 03:22

Can you please share what is currently configured?

The following show output would be great:

show run crypto map

show run crypto ipsec

mopaul Tue, 05/11/2010 - 07:09

Its true, Windows 7 require higher encryptions, you might be seeing error 789 on windows client, please share the following outputs :-

sho run cry dyn

sh run | in trans

Regards,
Mohit

steinbasma Tue, 05/11/2010 - 23:19

Here are the output of the show commands (output indented)

show run crypto ipsec
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000


show run crypto
  crypto map DMZ_map 20 ipsec-isakmp dynamic DMZ_dyn_map
  crypto map DMZ_map interface DMZ


show run cry dyn
  crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA
  crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime seconds 28800
  crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime kilobytes 4608000
  crypto dynamic-map DMZ_dyn_map 20 set reverse-route


sh run | in trans
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA

steinbasma Tue, 05/18/2010 - 00:09

Haven't gotten any replies on this. Anyone have any suggestions. Pleeease !

Herbert Baerten Wed, 05/19/2010 - 03:50

Looks like the ipsec (phase 2) transform sets are ok (including 3DES+SHA); but is it phase2 that is failing, or rather phase 1?

Do you have an isakmp policy that includes 3des and SHA ?

fgasimzade Tue, 02/08/2011 - 10:35

Good evening, gents!

Got the same problem, XP connect fine, but 7 fails. Any suggestions?

fgasimzade Tue, 02/08/2011 - 23:22

I found another solution, for Win 7 clients, transform-set on ASA must include hmac, not md5, since Win 7 does not support md5 anymore

Actions

This Discussion