1

I'm trying to stand up a new ASA5505 on our network (previously we used IPCop), and I'm having a bit of an issue getting the VPN to work. I ran through the IPSec VPN wizard in ASDM (6.3) on the ASA (8.3) and I selected the second option, L2TP over IPSec. After enabling both L2TP/IPSec and IPSec in the profile, I'm able to connect with the following clients:

  • OSX built-in VPN client
  • OSX Cisco VPN client
  • iPhone
  • iPad

I'm trying to get our Windows clients to connect, but using the Cisco VPN client is unfortunately not an option for us, since most of us run Windows 7 64 bit, but the ASA came with version 5.0.06 of the VPN client, but 5.0.07 was the version where 64-bit support was introduced.

I'm attempting to use the built-in L2TP/IPSec client in Windows 7 to connect to the VPN, but here's the chain of events that I see in the monitor (set to Debugging level) when I connect:

Built inbound UDP connection 66792 for outside:x.x.x.x/27917 (x.x.x.x/27917) to identity:IP4/4500 (IP4/4500)
Group = DefaultRAGroup, IP = x.x.x.x, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
AAA retrieved default group policy (vpn) for user = DefaultRAGroup
Group = DefaultRAGroup, IP = x.x.x.x, PHASE 1 COMPLETED
IP = x.x.x.x, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = DefaultRAGroup, IP = x.x.x.x, All IPSec SA proposals found unacceptable!
Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xca3609e8, mess id 0x1)!
Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, IP = x.x.x.x, Session is being torn down. Reason: Phase 2 Mismatch
Group = DefaultRAGroup, Username = , IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

(IP Address replaced with x.x.x.x)

At this point, the Windows client just sits and sits and eventually times out.

Does anyone have any idea what I might need to change to get this working for both the clients that already work and Windows?

I'm not terribly experienced with Cisco equipment yet, so I apologize if there's any debugging or additional logging information that I should have included. Feel free to ask and I'll amend my question.

Adam Robinson
  • 370
  • 3
  • 6
  • 19

4 Answers4

2

First of all double check your settings.

All IPSec SA proposals found unacceptable!

...

Session is being torn down. Reason: Phase 2 Mismatch

These most probably means there is indeed a mismatch at the settings. Unfortunately I haven't used Windows's built-in client and I'm not aware of any compatibility issues.

Secondly, if you can't get the latest version of Cisco's VPN client, i.e. from your retailer, cisco.com etc, then I suggest you try this client http://www.shrew.net/software. It's what we where using before Cisco fixed the 64-bit problem with its client.

AlexTsr
  • 606
  • 3
  • 5
  • I'm sure you're right, but unfortunately I've been so far unsuccessful in locating the specifics on what the Windows client uses so that I can configure the firewall to accept them. – Adam Robinson Apr 08 '11 at 14:03
  • @Adam, have you tried the other client I linked? If you worry about the settings being correct, you can export the profile from a working Cisco VPN client (I see you have successfully connected from OS X) and import it to the one I linked above. It should a .pcf file. – AlexTsr Apr 09 '11 at 07:49
  • Thanks, I was able to get it working with the ShrewSoft client. I'm not particularly happy about it (I'd rather either use the Cisco client, which I am unable to obtain since I don't have a SmartNet contract, or use the built-in Windows client), but it does work. – Adam Robinson Apr 09 '11 at 18:56
2

http://gregsowell.com/?p=805

Another quick note: If you have multiple dynamic crypto maps, then you need to make your L2TP crypto map has a higher priority than the others. You will often see "All IPSec SA proposals found unacceptable" because of this problem.

Charlie Zhu
  • 21
  • 1
1

It could be that windows is not using the same encryption.

Did you setup the VPN with 3DES-MD5 or 3DES-SHA?

Just make sure this is also what Windows is using.

Alex
  • 3,129
  • 21
  • 28
  • I don't see a way to either view or configure the encryption profile that Windows uses; do you know of a way? Either way, my dynamic crypto map on the ASA contains every single profile that exists on the thing, including 3DES in both MD5 and SHA. – Adam Robinson Apr 08 '11 at 14:04
0

try the following, it has helped me after hours of struggling...

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset mode transport

crypto dynamic-map mydynamapp 20 set transform-set myset

crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2

tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2

username cisco password cisco chap username cisco attributes

vpn-tunnel-protocol l2tp-ipsec

keep the other config min, it should work.

rewan
  • 1