ASA 5520 7.2 vs. win7 L2TP over IPSec

lubosbella · ‎11-05-2010

Hi,

i set up remote access VPN connection from windows server 2003 against ASA 5520 using a pre-shared key. I used a L2TP over IPSec method. This work fine, when i use a md5 authentication, but as i found Windows 2003 is not working with SHA authentication.

But when i use a Microsoft Windows7 client to conect to ASA it is not working aganst md5. In ASA logs is statement "All SA proposals found unacceptable". I found that is a problem with authentication but changing to SHA is not working too.

Have someone idea how to configure ASA and Microsoft windows 7 client together?

Win7 client was configured like this:

data encryption-->Require encryption

Allow these protocols-->Microsoft CHAP version 2

I attached my config with SHA.

Many Thanks.

Lubo.

Jennifer Halim · ‎11-06-2010

Try to configure more than 1 isakmp policy as follows:

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400

crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

If it still doesn't work, please kindly run "debug cry isa" and "debug cry ipsec" and gather the output to see where it's failing. Thanks.

lubosbella · ‎11-09-2010

Hi,

i added new policies to configuration but conection is unsuccessfull again.In attachcement is a output from debug command. Output from Win7 client is in attachement too.

I think most important line is All IPSec SA proposals found unacceptable!.

Thanks,

Lubos.