echovox
asked on
How to connect Windows Vista to a Cisco VPN using the L2TP Microsoft client
I have a VPN server Cisco ASA 5510 using a configuration with windows clients using l2tp over ipsec.
Whit clients using Windows XP, the connection work very well.
When I try to connect with Windows Vista client, the connexion doesnt work.
Using a Windows XP virtual machine in Windows Vista, I can connect to the VPN.
Microsoft as changed something in Vista but impossible to find what and how to correct.
Ike policy:
- Encryption : 3DES
- Authentication: MD5
- DH group: 2
Ipsec parameters:
- Encryption : 3DES
- Authentication: MD5
Using the debug mode in the ASA, I can see:
- Phase 1 completed
- All IPSec SA proposals found unacceptable!
- QM FSM error
Tanks
Whit clients using Windows XP, the connection work very well.
When I try to connect with Windows Vista client, the connexion doesnt work.
Using a Windows XP virtual machine in Windows Vista, I can connect to the VPN.
Microsoft as changed something in Vista but impossible to find what and how to correct.
Ike policy:
- Encryption : 3DES
- Authentication: MD5
- DH group: 2
Ipsec parameters:
- Encryption : 3DES
- Authentication: MD5
Using the debug mode in the ASA, I can see:
- Phase 1 completed
- All IPSec SA proposals found unacceptable!
- QM FSM error
Tanks
I am not a "Cisco guy" but this likely has to do with the fact that Vista does not support MS-CHAP v1, (only v2) and you may have further complications as some versions of the Cisco IOS do not support MS-CHAP v2. If you have the option of moving from v1 to v2, you should be able to resolve.
ASKER
I have tried to use only chap v.2 on both side (vista and ASA), but I can't connect.
ASKER
Hi Lee,
Please do not classify this. We haven't received a proper solution to this problem. Users running Vista cannot connect to the ASA although MSCHAP v2 is configured on both ends.
Thanks for keeping this thread alive.
Please do not classify this. We haven't received a proper solution to this problem. Users running Vista cannot connect to the ASA although MSCHAP v2 is configured on both ends.
Thanks for keeping this thread alive.
Bad news....
http://support.microsoft.com/kb/942429
We have the same issue...... Vista is working, but only for 1 client at the time...
http://support.microsoft.com/kb/942429
We have the same issue...... Vista is working, but only for 1 client at the time...
Also, I think Vista doesn't support MD5 anymore, we use SHA and 3DES, and that works fine for Vista and for XP. (But only 1 vista client at a time...)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Make sure you Disable PFS on de Cisco. I also had this problem.
Disableing the PFS resolved this problem
Disableing the PFS resolved this problem
http://blogs.isaserver.org/pouseele/