0

How can I connect a Windows 10 laptop to a Cisco ASA via VPN using L2TP/IPSec rather than AnyConnect? Apparently, the Cisco client is no longer supported, and the Windows 10 built-in client gives me the following error:

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

Because of the scale of our deployment, switching to AnyConnect is not an option.

Tim
  • 31,888
  • 7
  • 52
  • 78
Dave
  • 135
  • 1
  • 8
  • Have you verified the VPN tunnel on the ASA has L2TP enabled? If not, turn that on first and then try to connect to the VPN. – user5870571 Sep 30 '16 at 18:27
  • Yes, all other clients (L2TP/IPSec Cisco client, Windows 7, iOS, Mac OS X, etc.) are able to connect properly... only Win 10 clients cannot. – Dave Sep 30 '16 at 20:45
  • When the client attempts to connect what do the asa logs and `debug crypto isakmp 100` and `debug crypto ipsec 100` show? Have you tried this on just 1 client so far or do they all fail? – hertitu Oct 01 '16 at 21:00
  • Are you using certificates for authentication (in which case, do you have the right certs on the client) or a password (pre-shared-key or PSK; in which case, are you sure the PSK is correctly configured)? Are the client and/or the ASA behind NAT, and if so, what is the value of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPsec\AssumeUDPEncapsulationContextOnSendRule on the (failing and working) clients? – hertitu Oct 03 '16 at 07:45
  • This key does not exist on any of our workstations, nor is there an IPSec entry under Services. – Dave Oct 04 '16 at 19:14

2 Answers2

1

Though I'm not sure that the VPN type was identical, when I got the error message The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer, the only thing I had to do is described by the third option on this blog. I copy it here in case the link goes bad:

  • IKE and AuthIP IPsec Keying Modules disabled: Solution: This occurs most often when 3rd party VPN software has been installed and disables the IKEEXT service. This can be re-enabled by navigating in Windows to Control Panel > Administrative Tools > Services. Find the service named “IKE and AuthIP IPsec Keying Modules” and open it. Change the Startup type to “Automatic”. it may be necessary to remove the 3rd party VPN software.

In my case, I didn't have to uninstall any 3rd party VPN software. I happened to be running Windows 10 (1803) at the time.

kbulgrien
  • 434
  • 1
  • 7
  • 17
0

I believe it's [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\PolicyAgent] and by default I don't think there is an entry but have had an issue before where this needed to be created and set to dword:00000002 but this is not working for me this time. :/

user3574293
  • 1