CANNOT SET UP A L2TP/IPSEC VPN FROM MICROSOFT WINDOWS VISTA
Symptoms:
- Cannot set up a L2TP/IPSec VPN from Microsoft Windows Vista (TM) to X-family
Facts:
- 3CRTPX505-73
* 3CRTPX505-96
* 3CRTPX506-96
* 3CRX506-96
* 3CRTPX5-25-96
* 3CRTPX5-U-96
* TippingPoint
* L2TP
* IPSec
* VPN
* Microsoft Windows Vista (TM)
* X505
* X506
* X5
* 2.5.0
* 2.5.1
Causes: For compliance with export legislation, X-family devices leave the factory supporting only encryption levels below 64 bits. Microsoft Windows Vista (TM) enforces a higher level of IPSec encryption for L2TP VPN connections and so rejects the encryption level offered by the X-family.
Fixes: Install the high encryption software upgrade package on the X-family device. This will enable support for encryption up to 256 bits. Create a new IKE Proposal for 3DES encryption and edit the Default IPSec SA so that it uses the 3DES IKE Proposal.
Here is an example of a common IKE proposal using 3DES that works with the default Windows Vista settings:
- Select VPN → IPSEC Proposals
- Click on Create IKE Proposals
- Define the IKE proposal parameters as follows (This is just a common 3DES example):
- IKE Phase 1 Setup:
Proposal Name: 3DES-SHA1-PSK Encryption: 3DES-CBC Integrity: SHA-1 Diffie-Hellman Group: 2 (1024 bits) Lifetime: 28800 Authentication Type: Pre-Shared Key IKE Phase 2 Setup: Encryption: ESP-3DES-CBC Integrity: ESP-SHA1-HMAC Lifetime: 3600 Enable Perfect Forward Secrecy (Leave the checkbox unchecked)
Diffie-Hellman Group: 2 (1024 bits)
- Product(s): TippingPoint, X Family
- Sub Product(s): X505, X506, X5
— David Gonzalez 2021/04/08 09:45