The information in this article applies to:
SUMMARY
This article explains two changes you need to make to Cisco Internetwork Operating System (IOS) to be able to establish an L2TP session with a Windows 2000 host computer.
MORE INFORMATIONThe two changes you need to make are a hash and a filter configuration change. Hash Configuration ChangeCisco IOS IKE default policy includes SHA as the hash algorithm for Phase 1 negotiation of Internet Key Exchange (IKE) Security Associations (SAs). If you configure Windows 2000 to use MD5 as the hash algorithm (for integrity purposes) instead of SHA, you must configure IOS to accept MD5.To view the IKE policy in the Cisco IOS, use the following command: "router1#sh crypto isakmp policy"The default policy would look like: Default protection suiteIn order to configure the Cisco IOS to accept MD5 as the IKE hash algorithm, you need to configure a new ISAKMP(IKE) policy. Type the following commands at the router enable prompt: router1#conf t To confirm the changes type: router1#sh crypto isakmp policy Protection suite of priority 1Note that there is now a new ISAKMP policy with priority 1 (higher than the default) which includes the MD5 hash algorithm. Filter Configuration changeWindows 2000 automatically plumbs an output filter when initiating an L2TP tunnel as a client. The filter looks like this:source: W2K host, UDP port 1701Normally the Cisco IOS expects to filter on traffic coming from any host to its IP Address, UDP port 1701, in the following form: source: anyThis looks like the following as a Cisco Access Control List (ACL): access-list 161 permit udp host IOS IP Address eq 1701 anyBecause of this, you may receive a filter mismatch error message during negotiation. As a work-around, you need to modify the IOS filter to follow the same syntax as Windows 2000: access-list 161 permit udp host IOS IP Address any eq 1701NOTE: This also applies to "Windows 2000 Gateway to IOS Gateway L2TP/IPSec tunneling" when Windows 2000 is the initiator. The same client filters get plumbed automatically (except that the filters are subnet based instead of Ip-address specific). For gateway-to-gateway implementations, you need to configure the Dial-on-Demand (DOD) interface in Windows 2000 as a Persistent connection because the Cisco IOS does not have demand-dial capabilities. If you do not configure a Persistent connection, the tunnel is established only when traffic is sent from the Windows 2000 host. This information applies to Cisco IOS 12.0.5. Please contact Cisco support for updated or additional IOS information and check your IOS documentation before making modifications to your IOS configuration. Additional query words: L2TP, IPSec, tunneling, ISAKMP, IKE, VPN, access-list, Cisco, configuration
Keywords : kb3rdparty kbenv nt5howto ntsecurity |
Last Reviewed: January 31, 2000 © 2000 Microsoft Corporation. All rights reserved. Terms of Use. |