Microsoft KB Archive/249067

= How to Configure Cisco IOS for L2TP/IPSec in Windows 2000 =

Article ID: 249067

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q249067



SUMMARY
This article explains two changes you need to make to Cisco Internetwork Operating System (IOS) (in addition of the standard L2TP/IPSec configuration on the Cisco router) to be able to establish an L2TP session with a Windows 2000 host computer. Please check your Cisco router manuals to configure a standard L2TP/IPSec configuration.

NOTE: Please read your IOS documentation or contact Cisco support before you execute the commands referenced in this article. They may not apply to your IOS version.



MORE INFORMATION
The two changes you need to make are a hash and a filter configuration change.

Hash Configuration Change
Cisco IOS IKE default policy includes SHA as the hash algorithm for Phase 1 negotiation of Internet Key Exchange (IKE) Security Associations (SAs). If you configure Windows 2000 to use MD5 as the hash algorithm (for integrity purposes) instead of SHA, you must configure IOS to accept MD5.

To view the IKE policy in the Cisco IOS, use the following command:

"router1#sh crypto isakmp policy"

The default policy would look like:

Default protection suite

encryption algorithm:

DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

In order to configure the Cisco IOS to accept MD5 as the IKE hash algorithm, you need to configure a new ISAKMP(IKE) policy. Type the following commands at the router enable prompt:

router1#conf t

router1(config)#crypto isakmp policy 1

router1(config-isakmp)# hash md5

router1(config-isakmp)#end

To confirm the changes type:

router1#sh crypto isakmp policy

Protection suite of priority 1

encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Note that there is now a new ISAKMP policy with priority 1 (higher than the default) which includes the MD5 hash algorithm.

Filter Configuration change
Windows 2000 automatically plumbs an output filter when initiating an L2TP tunnel as a client. The filter looks like this:

source: W2K host, UDP port 1701

destination: any

Normally the Cisco IOS expects to filter on traffic coming from any host to its IP Address, UDP port 1701, in the following form:

source: any

destination: IOS, UDP port 1701

This looks like the following as a Cisco Access Control List (ACL):

access-list 161 permit udp host IOS IP Address eq 1701 any

Because of this, you may receive a filter mismatch error message during negotiation.

As a work-around, you need to modify the IOS filter to follow the same syntax as Windows 2000:

access-list 161 permit udp host IOS IP Address any eq 1701

NOTE: This also applies to "Windows 2000 Gateway to IOS Gateway L2TP/IPSec tunneling" when Windows 2000 is the initiator. The same client filters get plumbed automatically (except that the filters are subnet based instead of Ip-address specific). For gateway-to-gateway implementations, you need to configure the Dial-on-Demand (DOD) interface in Windows 2000 as a Persistent connection because the Cisco IOS does not have demand-dial capabilities. If you do not configure a Persistent connection, the tunnel is established only when traffic is sent from the Windows 2000 host.

This information applies to Cisco IOS 12.0.5. Please contact Cisco support for updated or additional IOS information and check your IOS documentation before making modifications to your IOS configuration.

Additional query words: L2TP, IPSec, tunneling, ISAKMP, IKE, VPN, access-list, Cisco, configuration

Keywords: kb3rdparty kbenv kbinfo KB249067

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.