MORE INFORMATION
The two changes you need to make are a hash and a filter configuration change.
Hash Configuration Change
Cisco IOS IKE default policy includes SHA as the hash algorithm for Phase 1 negotiation of Internet Key Exchange (IKE) Security Associations (SAs). If you configure Windows 2000 to use MD5 as the hash algorithm (for integrity purposes) instead of SHA, you must configure IOS to accept MD5.
To view the IKE policy in the Cisco IOS, use the following command:
"router1#sh crypto isakmp policy"
The default policy would look like:
Default protection suite
encryption algorithm:
DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
In order to configure the Cisco IOS to accept MD5 as the IKE hash algorithm, you need to configure a new ISAKMP(IKE) policy. Type the following commands at the router enable prompt:
router1#conf t
router1(config)#crypto isakmp policy 1
router1(config-isakmp)# hash md5
router1(config-isakmp)#end
To confirm the changes type:
router1#sh crypto isakmp policy
Protection suite of priority 1
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
Note that there is now a new ISAKMP policy with priority 1 (higher than the default) which includes the MD5 hash algorithm.
Filter Configuration change
Windows 2000 automatically plumbs an output filter when initiating an L2TP tunnel as a client. The filter looks like this:
source: W2K host, UDP port 1701
destination: any
Normally the Cisco IOS expects to filter on traffic coming from any host to its IP Address, UDP port 1701, in the following form:
source: any
destination: IOS, UDP port 1701
This looks like the following as a Cisco Access Control List (ACL):
access-list 161 permit udp host IOS IP Address eq 1701 any
Because of this, you may receive a filter mismatch error message during negotiation.
As a work-around, you need to modify the IOS filter to follow the same syntax as Windows 2000:
access-list 161 permit udp host IOS IP Address any eq 1701
NOTE: This also applies to "Windows 2000 Gateway to IOS Gateway L2TP/IPSec tunneling" when Windows 2000 is the initiator. The same client filters get plumbed automatically (except that the filters are subnet based instead of Ip-address specific). For gateway-to-gateway implementations, you need to configure the Dial-on-Demand (DOD) interface in Windows 2000 as a Persistent connection because the Cisco IOS does not have demand-dial capabilities. If you do not configure a Persistent connection, the tunnel is established only when traffic is sent from the Windows 2000 host.
This information applies to Cisco IOS 12.0.5. Please contact Cisco support for updated or additional IOS information and check your IOS documentation before making modifications to your IOS configuration.