Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5510 with Windows XP and Win7 VPN clients

We have a working configuration for L2TP-IPSec connection from a native Windows XP client to the ASA 5510. When trying to set up a connection from a Windows 7 client, the connection fails with the message that all SA proposals are unacceptable

Is this coexistence possible, and what parameters would I have to change to get this working. I have understood that the Windows 7 client requires som higher security proposals, but have not found what these are. And at the sam time we are concerned about not destroying the VPN connection for our existing XP clients.

Any help would be appreciated.

Thanx in advance

  • VPN
8 REPLIES
Cisco Employee

Re: ASA 5510 with Windows XP and Win7 VPN clients

Can you please share what is currently configured?

The following show output would be great:

show run crypto map

show run crypto ipsec

Bronze

Re: ASA 5510 with Windows XP and Win7 VPN clients

Its true, Windows 7 require higher encryptions, you might be seeing error 789 on windows client, please share the following outputs :-

sho run cry dyn

sh run | in trans

Regards,
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
New Member

Re: ASA 5510 with Windows XP and Win7 VPN clients

Here are the output of the show commands (output indented)

show run crypto ipsec
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000


show run crypto
  crypto map DMZ_map 20 ipsec-isakmp dynamic DMZ_dyn_map
  crypto map DMZ_map interface DMZ


show run cry dyn
  crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA
  crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime seconds 28800
  crypto dynamic-map DMZ_dyn_map 20 set security-association lifetime kilobytes 4608000
  crypto dynamic-map DMZ_dyn_map 20 set reverse-route


sh run | in trans
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-128_SHA mode transport
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_AES-256-SHA mode transport
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto dynamic-map DMZ_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5 ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA TRANS_ESP_AES-128_SHA ESP-AES-128-SHA TRANS_ESP_AES-256-SHA ESP-AES-256-SHA

New Member

Re: ASA 5510 with Windows XP and Win7 VPN clients

Haven't gotten any replies on this. Anyone have any suggestions. Pleeease !

Cisco Employee

Re: ASA 5510 with Windows XP and Win7 VPN clients

Looks like the ipsec (phase 2) transform sets are ok (including 3DES+SHA); but is it phase2 that is failing, or rather phase 1?

Do you have an isakmp policy that includes 3des and SHA ?

New Member

Re: ASA 5510 with Windows XP and Win7 VPN clients

Good evening, gents!

Got the same problem, XP connect fine, but 7 fails. Any suggestions?

New Member

Re: ASA 5510 with Windows XP and Win7 VPN clients

I had simular issues and I installed this fix:

http://support.microsoft.com/kb/980399/en-us

Seemed to work, dont forget to re-boot after you install this. There are also issues with an L2TP connection "hanging" and not allowing a re-connect for a while.

New Member

Re: ASA 5510 with Windows XP and Win7 VPN clients

I found another solution, for Win 7 clients, transform-set on ASA must include hmac, not md5, since Win 7 does not support md5 anymore

1306
Views
0
Helpful
8
Replies
This widget could not be displayed.