	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

6.6

Windows Vista VPN Client: L2TP/IPsec VPN Connection to ASA 5510

Asked by SeeingSharp in Virtual Private Networking (VPN), Windows Vista, Cisco PIX Firewall

Tags: Windows Vista, VPN Client, IPSec, Cisco ASA, Dell Precision M4400

I have done extensive research on the internet regarding this subject and I am at my wit's end. I have spent the last few weeks working on configuring a new Cisco ASA 5510 VPN connection utilizing L2TP/IPsec. The entire configuration is in a lab environment and works perfectly. I can login to the VPN and move traffic using my iPhone. The same is true for the clean install Windows XP SP3 laptop that I have for my test environment.

The problem comes from the 2 windows vista laptops that myself and the IT Director are using to connect to the VPN. I have an x64 Vista Business SP2 Dell Precision M4400, and my boss has one of the new Latitudes with x86 Vista Business SP1. Neither one of them can connect and immediately receive the following: Error 789 - The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

The failure is immediate, so I assumed that it had something to do with IKE. After installing the Microsoft IPSec Diagnostic Tool, and running it for the remote connection to the ASA, it returned the following: IPSec Service Diagnosis - Failed: IKEEXT and PolicyAgent services are not running. Ipsec is inactive. Putting the ASA in debug mode for isakmp and ipsec is to no avail as the failure is before it even reaches the device.

I ran services.msc and looked for the IKE and AuthIP (something like that for the name, I can't remember exactly what) and the IPsec PolicyAgent service, and to my surprise, neither one of them exists in my services window at all. After a scan through the registry, I saw that both of these services have a key named ServiceDllUnloadOnStop set to a DWORD value of 1, but many other services have that as well, and many of them are listed in the services.msc window.

I have a feeling that this is a Vista issue (maybe even a Dell OEM Version issue), but the folks at Dell didn't know what I was talking about. My next step is to go in on Monday and do a fresh Vista Business install on that laptop and see if those services exist.

What I am wondering is if anyone has seen this before and could maybe point me in the right direction as to how to get those services enabled so that they will run. I have a feeling that it is the only thing that is keeping me from being able to finish this project. I have included my ASA configuration below, but I do not believe that this has anything to do with my vpn settings as both the iPhone and Windows XP clients can connect with their respective native clients.

Thanks you all for any guidance you could give me in regards to this problem

View the Solution FREE for 30 Days

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:

           
           
             access-list VPN_ACL extended permit ip any 192.168.253.0 255.255.255.0
access-list VPN_SplitTunnel_ACL standard permit 10.0.0.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.253.0 255.255.255.0
 
ip local pool VPNpool 192.168.253.1-192.168.253.250 mask 255.255.255.255
 
global (outside) 1 interface
nat (inside) 0 access-list NoNAT_ACL
nat (inside) 1 0.0.0.0 0.0.0.0
 
crypto ipsec transform-set IPsec_Windows esp-3des esp-sha-hmac
crypto ipsec transform-set IPsec_Windows mode transport
crypto ipsec transform-set IPsec_iPhone esp-3des esp-md5-hmac
 
crypto dynamic-map dyno 10 set transform-set IPsec_Windows IPsec_iPhone
crypto dynamic-map dyno 20 set transform-set IPsec_iPhone
 
crypto map IPsec_map 20 ipsec-isakmp dynamic dyno
crypto map IPsec_map interface outisde
 
crypto isakmp enable outside
 
crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
 
crypto isakmp nat-traversal 300
 
group-policy VPNusers internal
group-policy VPNusers attributes
    dns-server value 10.0.0.2
    vpn-tunnel-protocol IPsec l2tp-ipsec
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value VPN_SplitTunnel_ACL
    default-domain value dev.cwi.local
    split-dns value 10.0.0.2
tunnel-group VPNusers type remote-access
tunnel-group VPNusers general-attributes
    address-pool VPNpool
    authentication-server-group VPN-aaa
    default-group-policy VPNusers
tunnel-group VPNusers ipsec-attributes
    pre-shared-key *
tunnel-group VPNusers ppp-attributes
    authentication ms-chap-v2

           
         

20100308-EE-VQP-141 - Hierarchy / EE_QW_3_20080625

Your technology problems solved.

Close See Plans and Pricing. Try it FREE for 30 days.

Hall of Fame

1. MikeKane123,125
2. ikalmar73,568
3. RobWill72,868
4. memo_tnt56,372
5. bignewf44,914
6. Qlemo37,100
7. thinkpads...34,300
8. GuruChiu33,432
9. dpk_wal32,100
10. Rick_O_...29,321
11. jodylemoine28,164
12. arnold25,025
13. digitap22,232
14. PeteLong20,200
15. pwindell18,968
16. RustyZ3218,250
17. lrmoore14,268
18. deimark13,683
19. sangamc13,501
20. geergon13,000
21. hypercat12,600
22. that1guy1512,200
23. NarendraG12,082
24. Quori11,882
25. Vito_Corl...11,425

1. RobWill2,122,237
2. lrmoore1,339,896
3. batry_boy467,701
4. arnold409,964
5. MikeKane367,467
6. dpk_wal304,244
7. Qlemo290,716
8. bignewf270,998
9. JFrederic...258,427
10. grblades218,409
11. ikalmar206,052
12. rsivanandan186,594
13. PeteLong139,120
14. MrHusy132,632
15. keith_ala...126,889
16. TechSoEasy122,268
17. mwecom...120,329
18. SysExpert116,925
19. calvinetter112,805
20. deimark110,843
21. Voltz-dk98,355
22. jodylemoine95,600
23. Cyclops3...92,755
24. RPPreacher85,480
25. giltjr84,332

Windows Vista VPN Client: L2TP/IPsec VPN Connection to ASA 5510

Asked by SeeingSharp in Virtual Private Networking (VPN), Windows Vista, Cisco PIX Firewall

Tags: Windows Vista, VPN Client, IPSec, Cisco ASA, Dell Precision M4400

About this solution