Phase 2 Mismatch when connecting Windows 7 to ASA5505 VPN
Solution 1
First of all double check your settings.
All IPSec SA proposals found unacceptable!
...
Session is being torn down. Reason: Phase 2 Mismatch
These most probably means there is indeed a mismatch at the settings. Unfortunately I haven't used Windows's built-in client and I'm not aware of any compatibility issues.
Secondly, if you can't get the latest version of Cisco's VPN client, i.e. from your retailer, cisco.com etc, then I suggest you try this client http://www.shrew.net/software. It's what we where using before Cisco fixed the 64-bit problem with its client.
Solution 2
Another quick note: If you have multiple dynamic crypto maps, then you need to make your L2TP crypto map has a higher priority than the others. You will often see "All IPSec SA proposals found unacceptable" because of this problem.
Solution 3
It could be that windows is not using the same encryption.
Did you setup the VPN with 3DES-MD5 or 3DES-SHA?
Just make sure this is also what Windows is using.
Related videos on Youtube
Adam Robinson
Updated on September 18, 2022Comments
-
Adam Robinson over 1 year
I'm trying to stand up a new ASA5505 on our network (previously we used IPCop), and I'm having a bit of an issue getting the VPN to work. I ran through the IPSec VPN wizard in ASDM (6.3) on the ASA (8.3) and I selected the second option, L2TP over IPSec. After enabling both L2TP/IPSec and IPSec in the profile, I'm able to connect with the following clients:
- OSX built-in VPN client
- OSX Cisco VPN client
- iPhone
- iPad
I'm trying to get our Windows clients to connect, but using the Cisco VPN client is unfortunately not an option for us, since most of us run Windows 7 64 bit, but the ASA came with version 5.0.06 of the VPN client, but 5.0.07 was the version where 64-bit support was introduced.
I'm attempting to use the built-in L2TP/IPSec client in Windows 7 to connect to the VPN, but here's the chain of events that I see in the monitor (set to Debugging level) when I connect:
Built inbound UDP connection 66792 for outside:x.x.x.x/27917 (x.x.x.x/27917) to identity:IP4/4500 (IP4/4500) Group = DefaultRAGroup, IP = x.x.x.x, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device AAA retrieved default group policy (vpn) for user = DefaultRAGroup Group = DefaultRAGroup, IP = x.x.x.x, PHASE 1 COMPLETED IP = x.x.x.x, Keep-alives configured on but peer does not support keep-alives (type = None) Group = DefaultRAGroup, IP = x.x.x.x, All IPSec SA proposals found unacceptable! Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xca3609e8, mess id 0x1)! Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from correlator table failed, no match! Group = DefaultRAGroup, IP = x.x.x.x, Session is being torn down. Reason: Phase 2 Mismatch Group = DefaultRAGroup, Username = , IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
(IP Address replaced with x.x.x.x)
At this point, the Windows client just sits and sits and eventually times out.
Does anyone have any idea what I might need to change to get this working for both the clients that already work and Windows?
I'm not terribly experienced with Cisco equipment yet, so I apologize if there's any debugging or additional logging information that I should have included. Feel free to ask and I'll amend my question.
-
Adam Robinson about 13 yearsI'm sure you're right, but unfortunately I've been so far unsuccessful in locating the specifics on what the Windows client uses so that I can configure the firewall to accept them.
-
Adam Robinson about 13 yearsI don't see a way to either view or configure the encryption profile that Windows uses; do you know of a way? Either way, my dynamic crypto map on the ASA contains every single profile that exists on the thing, including 3DES in both MD5 and SHA.
-
AlexTsr about 13 years@Adam, have you tried the other client I linked? If you worry about the settings being correct, you can export the profile from a working Cisco VPN client (I see you have successfully connected from OS X) and import it to the one I linked above. It should a .pcf file.
-
Adam Robinson about 13 yearsThanks, I was able to get it working with the ShrewSoft client. I'm not particularly happy about it (I'd rather either use the Cisco client, which I am unable to obtain since I don't have a SmartNet contract, or use the built-in Windows client), but it does work.