======CANNOT SET UP A L2TP/IPSEC VPN FROM MICROSOFT WINDOWS VISTA======



**Symptoms:**
  * Cannot set up a L2TP/IPSec VPN from Microsoft Windows Vista (TM) to X-family  
 

**Facts:** 
  * 3CRTPX505-73  
  * 3CRTPX505-96  
  * 3CRTPX506-96  
  * 3CRX506-96  
  * 3CRTPX5-25-96  
  * 3CRTPX5-U-96  
  * TippingPoint  
  * L2TP  
  * IPSec  
  * VPN  
  * Microsoft Windows Vista (TM)  
  * X505  
  * X506  
  * X5  
  * 2.5.0  
  * 2.5.1  
 
 
**Causes:** For compliance with export legislation, X-family devices leave the factory supporting only encryption levels below 64 bits. Microsoft Windows Vista (TM) enforces a higher level of IPSec encryption for L2TP VPN connections and so rejects the encryption level offered by the X-family.  
 

 
**Fixes:** Install the high encryption software upgrade package on the X-family device. This will enable support for encryption up to 256 bits. Create a new IKE Proposal for 3DES encryption and edit the Default IPSec SA so that it uses the 3DES IKE Proposal. 



Here is an example of a common IKE proposal using 3DES that works with the default Windows Vista settings:

  - Select VPN -> IPSEC Proposals 
  - Click on Create IKE Proposals 
  - Define the IKE proposal parameters as follows (This is just a common 3DES example):

  * IKE Phase 1 Setup:

  Proposal Name: 3DES-SHA1-PSK
  Encryption: 3DES-CBC
  Integrity: SHA-1
  Diffie-Hellman Group: 2 (1024 bits)
  Lifetime: 28800
  Authentication Type: Pre-Shared Key
  IKE Phase 2 Setup:
  Encryption: ESP-3DES-CBC
  Integrity: ESP-SHA1-HMAC
  Lifetime: 3600
  Enable Perfect Forward Secrecy   (Leave the checkbox unchecked)   
  Diffie-Hellman Group: 2 (1024 bits)
 
 

----------------------




  * Product(s):  TippingPoint, X Family  
  * Sub Product(s): X505, X506, X5  



 --- //[[nce@itclatam.com|David Gonzalez]] 2021/04/08 09:45//