Phase 2 Mismatch when connecting Windows 7 to ASA5505 VPN

I'm trying to stand up a new ASA5505 on our network (previously we used IPCop), and I'm having a bit of an issue getting the VPN to work. I ran through the IPSec VPN wizard in ASDM (6.3) on the ASA (8.3) and I selected the second option, L2TP over IPSec. After enabling both L2TP/IPSec and IPSec in the profile, I'm able to connect with the following clients:

• OSX built-in VPN client
• OSX Cisco VPN client
• iPhone
• iPad

I'm trying to get our Windows clients to connect, but using the Cisco VPN client is unfortunately not an option for us, since most of us run Windows 7 64 bit, but the ASA came with version 5.0.06 of the VPN client, but 5.0.07 was the version where 64-bit support was introduced.

I'm attempting to use the built-in L2TP/IPSec client in Windows 7 to connect to the VPN, but here's the chain of events that I see in the monitor (set to Debugging level) when I connect:

Built inbound UDP connection 66792 for outside:x.x.x.x/27917 (x.x.x.x/27917) to identity:IP4/4500 (IP4/4500)
Group = DefaultRAGroup, IP = x.x.x.x, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
AAA retrieved default group policy (vpn) for user = DefaultRAGroup
Group = DefaultRAGroup, IP = x.x.x.x, PHASE 1 COMPLETED
IP = x.x.x.x, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = DefaultRAGroup, IP = x.x.x.x, All IPSec SA proposals found unacceptable!
Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xca3609e8, mess id 0x1)!
Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, IP = x.x.x.x, Session is being torn down. Reason: Phase 2 Mismatch
Group = DefaultRAGroup, Username = , IP = x.x.x.x, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

(IP Address replaced with x.x.x.x)

At this point, the Windows client just sits and sits and eventually times out.

Does anyone have any idea what I might need to change to get this working for both the clients that already work and Windows?

I'm not terribly experienced with Cisco equipment yet, so I apologize if there's any debugging or additional logging information that I should have included. Feel free to ask and I'll amend my question.

I'm sure you're right, but unfortunately I've been so far unsuccessful in locating the specifics on what the Windows client uses so that I can configure the firewall to accept them.

I don't see a way to either view or configure the encryption profile that Windows uses; do you know of a way? Either way, my dynamic crypto map on the ASA contains every single profile that exists on the thing, including 3DES in both MD5 and SHA.

@Adam, have you tried the other client I linked? If you worry about the settings being correct, you can export the profile from a working Cisco VPN client (I see you have successfully connected from OS X) and import it to the one I linked above. It should a .pcf file.

Thanks, I was able to get it working with the ShrewSoft client. I'm not particularly happy about it (I'd rather either use the Cisco client, which I am unable to obtain since I don't have a SmartNet contract, or use the built-in Windows client), but it does work.