I am trying to set up an Remote-VPN IPsec ikev1 from a Windows 10 built in VPN-client to a Cisco asa 5505, using a L2TP/IPsec runnel with a Pre-shared key and xAuth. After some struggle, I manage to complete both IPsec Phase 1 and Phase 2. But I still got this error on the Windows side when trying to connect:
The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server”.
On the Windows side, I have under "Allowed protocols" checked both Chap and MS-Chap v2. On the Cisco ASA, I have allowed MS-Chap v2 on the DefaultRAGroup, and the Cisco VPN debugger doesn't show me anything specific error about this either.
Will post parts of my running configuration if needed, but I have a feeling that the problem is from the Windows side.
Anyone succeeded with what I am trying to do here? Or know some details about Windows built-in VPN Client authentication methods that I don't?
EDIT
Added a screenshot of some VPN Debug messages. Notice the "PHASE 2 COMPLETE" message in blue, and then the client send a Terminate message. Also notice "Security negotiation complete for User(). There should be a user stated in there..
This is often the case when the AAA-Server and PPP combination is wrong. Only these combinations are supported:
See this reference. You have to select that appropriately at the Connection Profile (Advanced->PPP).
If you are using local authentication and MS-CHAP, then you need to encode your password hashes using unicode and MD4. You do that by appending the msschap (or in some versions, the nt-encrypted) keyword like this:
Then you will be able to successfully authenticate.