How to Configure Cisco IOS for L2TP/IPSec in Windows 2000

ID: Q249067

The information in this article applies to:

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server

SUMMARY

This article explains two changes you need to make to Cisco Internetwork Operating System (IOS) to be able to establish an L2TP session with a Windows 2000 host computer.

NOTE: Please read your IOS documentation or contact Cisco support before you execute the commands referenced in this article. They may not apply to your IOS version.

MORE INFORMATION

The two changes you need to make are a hash and a filter configuration change.

Hash Configuration Change

Cisco IOS IKE default policy includes SHA as the hash algorithm for Phase 1 negotiation of Internet Key Exchange (IKE) Security Associations (SAs). If you configure Windows 2000 to use MD5 as the hash algorithm (for integrity purposes) instead of SHA, you must configure IOS to accept MD5.

To view the IKE policy in the Cisco IOS, use the following command:

"router1#sh crypto isakmp policy"

The default policy would look like:

Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

In order to configure the Cisco IOS to accept MD5 as the IKE hash algorithm, you need to configure a new ISAKMP(IKE) policy. Type the following commands at the router enable prompt:

router1#conf t
router1(config)#crypto isakmp policy 1
router1(config-isakmp)# hash md5
router1(config-isakmp)#end

To confirm the changes type:

router1#sh crypto isakmp policy

Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

Note that there is now a new ISAKMP policy with priority 1 (higher than the default) which includes the MD5 hash algorithm.

Filter Configuration change

Windows 2000 automatically plumbs an output filter when initiating an L2TP tunnel as a client. The filter looks like this:

source: W2K host, UDP port 1701
destination: any

Normally the Cisco IOS expects to filter on traffic coming from any host to its IP Address, UDP port 1701, in the following form:

source: any
destination: IOS, UDP port 1701

This looks like the following as a Cisco Access Control List (ACL):

access-list 161 permit udp host IOS IP Address eq 1701 any

Because of this, you may receive a filter mismatch error message during negotiation.

As a work-around, you need to modify the IOS filter to follow the same syntax as Windows 2000:

access-list 161 permit udp host IOS IP Address any eq 1701

NOTE: This also applies to "Windows 2000 Gateway to IOS Gateway L2TP/IPSec tunneling" when Windows 2000 is the initiator. The same client filters get plumbed automatically (except that the filters are subnet based instead of Ip-address specific). For gateway-to-gateway implementations, you need to configure the Dial-on-Demand (DOD) interface in Windows 2000 as a Persistent connection because the Cisco IOS does not have demand-dial capabilities. If you do not configure a Persistent connection, the tunnel is established only when traffic is sent from the Windows 2000 host.

This information applies to Cisco IOS 12.0.5. Please contact Cisco support for updated or additional IOS information and check your IOS documentation before making modifications to your IOS configuration.

Additional query words: L2TP, IPSec, tunneling, ISAKMP, IKE, VPN, access-list, Cisco, configuration

Keywords : kb3rdparty kbenv nt5howto ntsecurity
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo