cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1872
Views
0
Helpful
8
Replies

ASA 5510 with Windows XP and Win7 VPN clients

steinbasma
Level 1
Level 1

We have a working configuration for L2TP-IPSec connection from a native Windows XP client to the ASA 5510. When trying to set up a connection from a Windows 7 client, the connection fails with the message that all SA proposals are unacceptable

Is this coexistence possible, and what parameters would I have to change to get this working. I have understood that the Windows 7 client requires som higher security proposals, but have not found what these are. And at the sam time we are concerned about not destroying the VPN connection for our existing XP clients.

Any help would be appreciated.

Thanx in advance

8 Replies 8

Jennifer Halim
Cisco Employee
Cisco Employee

Can you please share what is currently configured?

The following show output would be great:

show run crypto map

show run crypto ipsec

Its true, Windows 7 require higher encryptions, you might be seeing error 789 on windows client, please share the following outputs :-

sho run cry dyn

sh run | in trans

Regards,
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

Here are the output of the show commands (output indented)

show run crypto ipsec
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000


show run crypto
  crypto map DMZ_map 20 ipsec-isakmp dynamic DMZ_dyn_map
  crypto map DMZ_map interface DMZ


show run cry dyn
  crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA
  crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime seconds 28800
  crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime kilobytes 4608000
  crypto dynamic-map DMZ_dyn_map 20 set reverse-route


sh run | in trans
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA

Haven't gotten any replies on this. Anyone have any suggestions. Pleeease !

Looks like the ipsec (phase 2) transform sets are ok (including 3DES+SHA); but is it phase2 that is failing, or rather phase 1?

Do you have an isakmp policy that includes 3des and SHA ?

fgasimzade
Level 4
Level 4

Good evening, gents!

Got the same problem, XP connect fine, but 7 fails. Any suggestions?

I had simular issues and I installed this fix:

http://support.microsoft.com/kb/980399/en-us

Seemed to work, dont forget to re-boot after you install this. There are also issues with an L2TP connection "hanging" and not allowing a re-connect for a while.

I found another solution, for Win 7 clients, transform-set on ASA must include hmac, not md5, since Win 7 does not support md5 anymore

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: