I'm trying to stand up a new ASA5505 on our network (previously we used IPCop), and I'm having a bit of an issue getting the VPN to work. I ran through the IPSec VPN wizard in ASDM (6.3) on the ASA (8.3) and I selected the second option, L2TP over IPSec. After enabling both L2TP/IPSec and IPSec in the profile, I'm able to connect with the following clients:
- OSX built-in VPN client
- OSX Cisco VPN client
- iPhone
- iPad
I'm trying to get our Windows clients to connect, but using the Cisco VPN client is unfortunately not an option for us, since most of us run Windows 7 64 bit, but the ASA came with version 5.0.06 of the VPN client, but 5.0.07 was the version where 64-bit support was introduced.
I'm attempting to use the built-in L2TP/IPSec client in Windows 7 to connect to the VPN, but here's the chain of events that I see in the monitor (set to Debugging level) when I connect:
Built inbound UDP connection 66792 for outside:x.x.x.x/27917 (x.x.x.x/27917) to identity:IP4/4500 (IP4/4500)
Group = DefaultRAGroup, IP = x.x.x.x, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
AAA retrieved default group policy (vpn) for user = DefaultRAGroup
Group = DefaultRAGroup, IP = x.x.x.x, PHASE 1 COMPLETED
IP = x.x.x.x, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = DefaultRAGroup, IP = x.x.x.x, All IPSec SA proposals found unacceptable!
Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xca3609e8, mess id 0x1)!
Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, IP = x.x.x.x, Session is being torn down. Reason: Phase 2 Mismatch
Group = DefaultRAGroup, Username = , IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
(IP Address replaced with x.x.x.x)
At this point, the Windows client just sits and sits and eventually times out.
Does anyone have any idea what I might need to change to get this working for both the clients that already work and Windows?
I'm not terribly experienced with Cisco equipment yet, so I apologize if there's any debugging or additional logging information that I should have included. Feel free to ask and I'll amend my question.
First of all double check your settings.
...
These most probably means there is indeed a mismatch at the settings. Unfortunately I haven't used Windows's built-in client and I'm not aware of any compatibility issues.
Secondly, if you can't get the latest version of Cisco's VPN client, i.e. from your retailer, cisco.com etc, then I suggest you try this client http://www.shrew.net/software. It's what we where using before Cisco fixed the 64-bit problem with its client.
http://gregsowell.com/?p=805
It could be that windows is not using the same encryption.
Did you setup the VPN with 3DES-MD5 or 3DES-SHA?
Just make sure this is also what Windows is using.
try the following, it has helped me after hours of struggling...
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset mode transport
crypto dynamic-map mydynamapp 20 set transform-set myset
crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2
tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2
username cisco password cisco chap username cisco attributes
vpn-tunnel-protocol l2tp-ipsec
keep the other config min, it should work.