This behavior does not occur on a computer that is running Windows XP or Windows Server 2003.
When the Cisco ASA Series VPN server performs a L2TP/IPsec negotiation, the server uses the message ID to identify the client. This negotiation is a phase 2 quick-mode negotiation. However, in a quick-mode negotiation, all Windows Vista-based VPN clients use the same message ID for their initial messages. Therefore, when a Windows Vista-based VPN client connects to a VPN server, message IDs from other Windows Vista-based VPN clients are considered duplicate IDs. Therefore, the VPN server refuses the other connections.
Windows Vista uses a monotonically increasing sequence number for phase 2 quick mode negotiation. This behavior more strictly verifies incoming message IDs from different Windows Vista-based computers. This behavior also helps prevent untrusted phase 2 replay attacks. Random message IDs cannot be used to effectively implement such attacks.
To view the RFC document for the Internet Key Exchange (IKE), visit the following IETF Web site:The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
Article ID: 942429 - Last Review: Oct 21, 2008 - Revision: 1