3com:tippingpoint:x506:general_configuration:cannot_set_up_l2tp_ipsec_vpn_microsoft_windows_vista
CANNOT SET UP A L2TP/IPSEC VPN FROM MICROSOFT WINDOWS VISTA
Symptoms:
- Cannot set up a L2TP/IPSec VPN from Microsoft Windows Vista (TM) to X-family
Facts:
- 3CRTPX505-73
- 3CRTPX505-96
- 3CRTPX506-96
- 3CRX506-96
- 3CRTPX5-25-96
- 3CRTPX5-U-96
- TippingPoint
- L2TP
- IPSec
- VPN
- Microsoft Windows Vista (TM)
- X505
- X506
- X5
- 2.5.0
- 2.5.1
Causes: For compliance with export legislation, X-family devices leave the factory supporting only encryption levels below 64 bits. Microsoft Windows Vista (TM) enforces a higher level of IPSec encryption for L2TP VPN connections and so rejects the encryption level offered by the X-family.
Fixes: Install the high encryption software upgrade package on the X-family device. This will enable support for encryption up to 256 bits. Create a new IKE Proposal for 3DES encryption and edit the Default IPSec SA so that it uses the 3DES IKE Proposal.
Here is an example of a common IKE proposal using 3DES that works with the default Windows Vista settings:
- Select VPN → IPSEC Proposals
- Click on Create IKE Proposals
- Define the IKE proposal parameters as follows (This is just a common 3DES example):
- IKE Phase 1 Setup:
Proposal Name: 3DES-SHA1-PSK Encryption: 3DES-CBC Integrity: SHA-1 Diffie-Hellman Group: 2 (1024 bits) Lifetime: 28800 Authentication Type: Pre-Shared Key IKE Phase 2 Setup: Encryption: ESP-3DES-CBC Integrity: ESP-SHA1-HMAC Lifetime: 3600 Enable Perfect Forward Secrecy (Leave the checkbox unchecked) Diffie-Hellman Group: 2 (1024 bits)
- Product(s): TippingPoint, X Family
- Sub Product(s): X505, X506, X5
— David Gonzalez 2021/04/08 09:45
3com/tippingpoint/x506/general_configuration/cannot_set_up_l2tp_ipsec_vpn_microsoft_windows_vista.txt · Last modified: 2021/04/08 09:58 by dgonzalez