L2TP/IPSec from Windows 7 to ASA 5520

windows-7 vpn ipsec cisco-asa l2tp

I have IPSEC working in "lan-to-lan" mode between Windows 7 and an ASA with 8.3(2)13 (FIPS certified).

I'm quite sure you are correct regarding the error - if it can't negotiate an SA you are hosed.

I would try getting rid of "NAT Traversal". Of course, you might be stuck with trying to go over NAT, in which case it may be required. But that sure looks like the cause of your problem.

I guess your other option is to figure out how to get windows 7 to do the nat-traversal SA type. You might try poking around with netsh advfirewall consec on windows.

Here's a reference for it i had bookmarked. http://technet.microsoft.com/en-us/library/dd736198(v=ws.10).aspx.

One note - Windows documentation talks a LOT about how important it is to regularly re-key the connection. However, if you re-key too frequently, the ASA takes a dump and drops the connection. Make sure you don't re-key more often than every 2 minutes. Using MS's recommended # of bytes value for the rekey made it go below 2 minutes.

When we opened a support case, M$ couldn't really give any real reason for their recommendation. They sent us a big fat bill though.

Related

How to mark every deploy in munin?
How to find which file is under heavy use/IO [duplicate]
UnKnown can't find <hostname>: Non-existent domain
How to handle encrypted and unencrypted http connections through a single port
Sharing Bandwidth and Prioritizing Realtime Traffic via HTB, Which Scenario Works Better?
Improving SAS multipath to JBOD performance on Linux
How to stop/kill a virtual machine that hangs in "Stopping" state?
Smart card authentication to a Cisco switch?
Hot-swap drive got new name. If I add it back to the `md` array and it gets renamed on reboot, will the array still work?
nginx + fastCGI + Django - getting data corruption in the responses sent to the client
Export GFI MailArchiver e-mails for import into Exchange 2010 SP1 Personal Archiving
MediaWiki slow save of edited pages