cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
caevans
New Contributor

NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

Summary: Is it possible to negotiate and connect to VPN on a NetVanta 3448 from the client native to Windows 7?

I have successfully configured and connected via the NetVanta Secure VPN Client and TheGreenBow IPSec VPN Client; however, I cannot gain connectivity using Windows natively.  The IPSec transform set and IKE policy are both using 3DES/MD5 and I am using a PSK with no XAUTH. Debug output consistently shows the following.

2013.03.11 15:26:35 CRYPTO_IKE.NEGOTIATION ERROR# NO MATCHING ISAKMP PROPOSAL

2013.03.11 15:26:35 CRYPTO_IKE.NEGOTIATION 100: IkeSelectIsakmpProposal failed

Despite hard setting all Windows IPSec settings I could find to match my configuration of 3DES/MD5/Group 1/28800s, the debug always a different proposed encryption, authentication and group. Changing the config on the 3448 to try to match what the attached debug file says is the ISKAMP proposal does not resolve the issue and it still shows a mismatch

Windows IPSec Policy and Firewall settings:

http://imgur.com/tBmpkVf,ahZi10v,AWTTVaP,vVr9BGk

3448 Crypto Debug Output:

http://pastebin.com/RMC1pzJD

3448 Running Config (public IPs changed to 'x.x.x.x'):

http://pastebin.com/CEBtxJBR

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

- Thanks for posting your question on the forum!

It is my understanding that the native Windows VPN client supports L2TP/IPSec and not IPSec. Unfortunately, you will need an IPSec compliant client to connect via VPN to an AOS device. I hope this answers your question, but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

View solution in original post

0 Kudos
7 Replies
Anonymous
Not applicable

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

- Thanks for posting your question on the forum!

It is my understanding that the native Windows VPN client supports L2TP/IPSec and not IPSec. Unfortunately, you will need an IPSec compliant client to connect via VPN to an AOS device. I hope this answers your question, but please do not hesitate to let us know if you have any further questions.

Thanks,

Noor

View solution in original post

0 Kudos
mick
Contributor
Contributor

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

MSWindows will support IPSec, but for site-to-site, site to server, server to server VPN connections only, using main mode, with static IP addresses.  For PC-to-site and PC to server (which MS calls remote access VPN), MSWindows uses L2TP/IPSec, to set up a tunnel and provide encryption, or PPTP which sets up an (MS type) GRE tunnel with various weak authentication and encryption protocols, that should not be used these days (other than EAP-TLS which requires a PKI).  More recently (Vista onward) MSWindows also offer Secure Socket Tunneling Protocol (using SSL3) and IKEv2 with mobike for roaming devices.

I have not tried it, but I expect that it is possible to set up an IPSec tunnel to a Netvanta using the native MSWindows IPSec policy mechanism, as long as both sides use static IP addresses as identifiers.

However, from the logs that the OP has provided it seems that there is a mismatch in the proposal submitted by the client and that shown in the running-config of the router. In particular, the crypto debug shows AES and SHA1 being submitted, which do not match the 3DES and MD5 set up in the IKE attributes of the router.  In addition, the screenshot shows that the first KE on the client is set up to use Diffie Hellman Group 1, but the router is set up to expect DH Group 2 instead.  So, I'm guessing that the client tries the first KE method, which fails because of the Diffie Hellman Group mismatch and then proceeds to use the second and third KE methods both of which fail because they do not match the router config which expects 3DES and MD5.

If these details were corrected and checked on both sides, I suspect the connection would get further and potentially establish an encrypted IPSec tunnel.

Hope this helps.

--

Regards,

Mick

Anonymous
Not applicable

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

- Do you have any further questions regarding this topic? Please do not hesitate to reply if you do and we will be happy to answer them.

Thanks,

Noor

caevans
New Contributor

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

A little late with the update, sorry!  Appreciate the feedback, people. You were absolutely right about Windows VPN client supporting only L2TP/IPSec instead of IPSec. We downloaded an IPSec compliant client, ShrewSoft VPN Client, and connected without issue on our Windows and GNU/Linux machines. It's unfortunate that the .dmg takes a decent amount of manual dependency installation; it's a bit of a pain. Just out of curiosity, is there a freeware IPSec client native to OS X?

Thanks again,

Chris

mick
Contributor
Contributor

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

I don't want to disagree with what was advised, but this article http://support.microsoft.com/kb/816514/en-us suggests that by implementing MSWindows Security Policies you should be able to configure a VPN tunnel using native IPSec (i.e. not L2TP, or PPP).  I don't know if this applies to Windows 7 though.

The native OSX supports IPSec with XAUTH.  If you don't want to use XAUTH you can configure manually Racoon (a component of ipsec-tools) which is the application running in the background.  Details can be found here:  http://www.topdog.za.net/2012/09/19/mac-osx-ipsec-vpn-via-command-line-using-builtin-racoon-client/

I have configured Racoon successfully on Linux with SSL certificate authentication, so ask if you get stuck.

Regards,

Mick

Anonymous
Not applicable

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

- You may find the following thread helpful: Re: NetVanta VPN - Apple Client

Some MAC users have had success with the clients listed in the discussion. Let us know if you have any questions.

Thanks,

Noor

Anonymous
Not applicable

Re: NetVanta 3448 - Windows native IPSec VPN client?

Jump to solution

-

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post to unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.


Thanks,

Noor