(closed) Fail: Windows 7 L2TP/IPSec client and VPN 3000 series concentrator
I have an old Cisco 3005 for clients accessing a small office network which has worked fine for a long time. Since it is a very basic system -- nothing fancy just the upper management needing access to some internal resources in a single subnet -- the decision was made to use native Windows VPN client with L2TP over IPSec. New laptops ship with Windows 7 and the users are happy, but.. some of the VPN users have gotten these and complain. The system used to (and still does) work just fine with Windows XP as client but Windows 7 just does not work.
3005 is running 4.7 software. SA settings: IKE-3DES-SHA-DH2, PSK, no PFS, Main mode, Transport. Nothing special IMHO.
Looking at the log from 3005, there is pretty much nothing interesting, seems that the phase 2 is completed but after that "something" happens and Windows 7 decides to terminate the connection instead of starting L2TP:
Tunnel to peer 192.0.2.1 closed, reason: L2TP peer terminated connection
Googling for the error in message #529 produces exactly one result, where numerous people complain about this, starting with Windows Vista SP1. The solutions proposed seem to be for a different problem: I do not get "device not found" error on the client Windows 7.
"For Windows XP clients, we see the following AVP's (Attribute Value pair):
'Control Message', 'Assigned Session', 'Call Serial Number' and 'Bearer Type'.
For the Windows Vista SP1 client, there was an extra AVP tagged onto the end. This is a 'Vendor-Specific' AVP of 'Type 1', specifying a 'Vendor ID' of 311 (0x0137), meaning 'Microsoft'.
So what is this extra Microsoft AVP? A quick google finds a
Cisco document, implying it may be a related to RADIUS. It talks about Vendor-Specific Attributes (VSAs). Table 36 lists Vendor-Specific RADIUS IETF Attributes with Vendor company code 311 and Sub-type 1 which is a "MSCHAP-Response" attribute.
Ok, so it seems the version of l2tpd we are using does not like the presence of this extra AVP, and mistakes it for a 'Result Code' AVP, which should only be present in CDN and StopCCN messages.
Looking at the top of page 50 of the RFC, for an ICRQ, it lists the AVPs that MUST be present, and the AVPs that MAY be present. This would seem to indicate that a vendor specific AVP is NOT valid at this stage."
So to put it short, starting with Vista SP1 Microsoft has decided to add an AVP to Incoming-Call-Request (ICRQ) message which is not specified as permitted by the L2TP RFC. The 3005 then detects this as error condition and boots the connection.
4.7.2 software release notes state that this will never work:
"Due to architectural changes in Windows Vista L2TP/IPsec support, compatibility is not available for VPN 3000 Series Concentrators. The Embedded L2TP/IPSec VPN Client for Windows Vista does not establish a connection to the VPN 3000 Concentrator. Customers must upgrade to the Cisco ASA 5500 Security Appliance to use this function (CSCsm16075)."
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...