7 Replies Latest reply on Jul 9, 2013 7:08 AM by noor

    NetVanta 3448 - Windows native IPSec VPN client?

    caevans New Member

      Summary: Is it possible to negotiate and connect to VPN on a NetVanta 3448 from the client native to Windows 7?


      I have successfully configured and connected via the NetVanta Secure VPN Client and TheGreenBow IPSec VPN Client; however, I cannot gain connectivity using Windows natively.  The IPSec transform set and IKE policy are both using 3DES/MD5 and I am using a PSK with no XAUTH. Debug output consistently shows the following.



      2013.03.11 15:26:35 CRYPTO_IKE.NEGOTIATION 100: IkeSelectIsakmpProposal failed


      Despite hard setting all Windows IPSec settings I could find to match my configuration of 3DES/MD5/Group 1/28800s, the debug always a different proposed encryption, authentication and group. Changing the config on the 3448 to try to match what the attached debug file says is the ISKAMP proposal does not resolve the issue and it still shows a mismatch


      Windows IPSec Policy and Firewall settings:



      3448 Crypto Debug Output:



      3448 Running Config (public IPs changed to 'x.x.x.x'):


        • Re: NetVanta 3448 - Windows native IPSec VPN client?

          caevans - Thanks for posting your question on the forum!


          It is my understanding that the native Windows VPN client supports L2TP/IPSec and not IPSec. Unfortunately, you will need an IPSec compliant client to connect via VPN to an AOS device. I hope this answers your question, but please do not hesitate to let us know if you have any further questions.




            • Re: NetVanta 3448 - Windows native IPSec VPN client?
              mick Visitor

              MSWindows will support IPSec, but for site-to-site, site to server, server to server VPN connections only, using main mode, with static IP addresses.  For PC-to-site and PC to server (which MS calls remote access VPN), MSWindows uses L2TP/IPSec, to set up a tunnel and provide encryption, or PPTP which sets up an (MS type) GRE tunnel with various weak authentication and encryption protocols, that should not be used these days (other than EAP-TLS which requires a PKI).  More recently (Vista onward) MSWindows also offer Secure Socket Tunneling Protocol (using SSL3) and IKEv2 with mobike for roaming devices.


              I have not tried it, but I expect that it is possible to set up an IPSec tunnel to a Netvanta using the native MSWindows IPSec policy mechanism, as long as both sides use static IP addresses as identifiers.


              However, from the logs that the OP has provided it seems that there is a mismatch in the proposal submitted by the client and that shown in the running-config of the router. In particular, the crypto debug shows AES and SHA1 being submitted, which do not match the 3DES and MD5 set up in the IKE attributes of the router.  In addition, the screenshot shows that the first KE on the client is set up to use Diffie Hellman Group 1, but the router is set up to expect DH Group 2 instead.  So, I'm guessing that the client tries the first KE method, which fails because of the Diffie Hellman Group mismatch and then proceeds to use the second and third KE methods both of which fail because they do not match the router config which expects 3DES and MD5.


              If these details were corrected and checked on both sides, I suspect the connection would get further and potentially establish an encrypted IPSec tunnel.


              Hope this helps.