How to Configure Cisco IOS for L2TP/IPSec in Windows 2000

This article explains two changes you need to make to Cisco Internetwork Operating System (IOS) (in addition of the standard L2TP/IPSec configuration on the Cisco router) to be able to establish an L2TP session with a Windows 2000 host computer. Please check your Cisco router manuals to configure a standard L2TP/IPSec configuration.

NOTE: Please read your IOS documentation or contact Cisco support before you execute the commands referenced in this article. They may not apply to your IOS version.

The two changes you need to make are a hash and a filter configuration change.

Hash Configuration Change

Cisco IOS IKE default policy includes SHA as the hash algorithm for Phase 1 negotiation of Internet Key Exchange (IKE) Security Associations (SAs). If you configure Windows 2000 to use MD5 as the hash algorithm (for integrity purposes) instead of SHA, you must configure IOS to accept MD5.

To view the IKE policy in the Cisco IOS, use the following command: The default policy would look like: In order to configure the Cisco IOS to accept MD5 as the IKE hash algorithm, you need to configure a new ISAKMP(IKE) policy. Type the following commands at the router enable prompt: To confirm the changes type: Note that there is now a new ISAKMP policy with priority 1 (higher than the default) which includes the MD5 hash algorithm.

Filter Configuration change

Windows 2000 automatically plumbs an output filter when initiating an L2TP tunnel as a client. The filter looks like this: Normally the Cisco IOS expects to filter on traffic coming from any host to its IP Address, UDP port 1701, in the following form: This looks like the following as a Cisco Access Control List (ACL): Because of this, you may receive a filter mismatch error message during negotiation.

As a work-around, you need to modify the IOS filter to follow the same syntax as Windows 2000: NOTE: This also applies to "Windows 2000 Gateway to IOS Gateway L2TP/IPSec tunneling" when Windows 2000 is the initiator. The same client filters get plumbed automatically (except that the filters are subnet based instead of Ip-address specific). For gateway-to-gateway implementations, you need to configure the Dial-on-Demand (DOD) interface in Windows 2000 as a Persistent connection because the Cisco IOS does not have demand-dial capabilities. If you do not configure a Persistent connection, the tunnel is established only when traffic is sent from the Windows 2000 host.

This information applies to Cisco IOS 12.0.5. Please contact Cisco support for updated or additional IOS information and check your IOS documentation before making modifications to your IOS configuration.