Cisco IPSec Issue with Windows 10

cisco-asaipsecl2tpvpn

How can I connect a Windows 10 laptop to a Cisco ASA via VPN using L2TP/IPSec rather than AnyConnect? Apparently, the Cisco client is no longer supported, and the Windows 10 built-in client gives me the following error:

The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.

Because of the scale of our deployment, switching to AnyConnect is not an option.

Best Answer

Though I'm not sure that the VPN type was identical, when I got the error message The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer, the only thing I had to do is described by the third option on this blog. I copy it here in case the link goes bad:

IKE and AuthIP IPsec Keying Modules disabled: Solution: This occurs most often when 3rd party VPN software has been installed and disables the IKEEXT service. This can be re-enabled by navigating in Windows to Control Panel > Administrative Tools > Services. Find the service named “IKE and AuthIP IPsec Keying Modules” and open it. Change the Startup type to “Automatic”. it may be necessary to remove the 3rd party VPN software.

In my case, I didn't have to uninstall any 3rd party VPN software. I happened to be running Windows 10 (1803) at the time.

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

Can you post the output of your log while trying to establish a vpn connection at the debugging level? (in the asdm go to Monitoring -> Logging -> set logging level to debug in the drop down -> click view)

Also unless there is a compelling reason to stay at 7.2(4) I would upgrade to the latest 8.x release. The 7.2 series had some pretty major issues.

EDIT

That error means that the interface the incoming vpn is setup on doesn't have a crypto-map applied.

if you were following the instructions there, you probably applied the crypto map like this:

crypto map outside_map interface outside

if you are testing on the same lan you would need to do this:

crypto map outside_map interface inside

Ugly i know but it'll let you test, then remove from the inside interface and you are good to go.

If that doesn't work, would you be willing put post your running config?

EDIT 2:

Ok, lets simplify this config a little. Try disconnecting the XP machine from the ASA. And also remove the 192.168.1.1 ip address and DHCP pool from the ASA. Then try to connect via the vpn.

L2TP and IPSEC from Windows XP: Where do I put the IPSEC group name

If you open the Properties of the VPN connection, there should be a Security tab. The Type of VPN at the top should be set to L2TP/IPsec. Below this dropdown, you should see a Advanced Settings button which will allow you to enter a preshared key for authentication. You should put the group name there.

Best Answer

Related Solutions

Cisco ASA 5505 – L2TP over IPsec

L2TP and IPSEC from Windows XP: Where do I put the IPSEC group name

Related Topic