(It was recommended to me to post this question here by forum Support at the original post) Hello, I've set up a L2TP/IPsec transport mode VPN with 2-3 Windows 7 Ultimate x64 clients using no 3rd party VPN-Client for testing. Establishing connections works fine with 3DES-SHA1 or AES256-SHA1 in the server's phase 1 and 2 proposal, as they are in the Clients proposal. Is it possible to get Windows 7 to send a proposal that doesn't look exactly like below? I'd like to set the algorithms proposed by the client used for both phases myself and have tried to edit the WFAS IPsec settings, but they don't appear to have any influence whatsoever in this case (only working for WFAS policy based ipsec-only connections?). For example, I've added aes256/sha384 dh 14 to the firewall and wfas configuration for main mode, then connected -> again 3des-sha1 in main mode SA. according to http://technet.microsoft.com/en-us/library/dd125380%28v=ws.10%29.aspx quite a variety of algorithms is supported by Windows 7 ------------------------------------------------------------------------------------------------------- ike 0:Phase1-L2TP:84: incoming proposal: ike 0:Phase1-L2TP:84: proposal id = 0: ike 0:Phase1-L2TP:84: protocol id = ISAKMP: ike 0:Phase1-L2TP:84: trans_id = KEY_IKE. ike 0:Phase1-L2TP:84: encapsulation = IKE/none ike 0:Phase1-L2TP:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:Phase1-L2TP:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Phase1-L2TP:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Phase1-L2TP:84: type=OAKLEY_GROUP, val=2048. ike 0:Phase1-L2TP:84: ISKAMP SA lifetime=28800 ike 0:Phase1-L2TP:84: proposal id = 0: ike 0:Phase1-L2TP:84: protocol id = ISAKMP: ike 0:Phase1-L2TP:84: trans_id = KEY_IKE. ike 0:Phase1-L2TP:84: encapsulation = IKE/none ike 0:Phase1-L2TP:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:Phase1-L2TP:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Phase1-L2TP:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Phase1-L2TP:84: type=OAKLEY_GROUP, val=2048. ike 0:Phase1-L2TP:84: ISKAMP SA lifetime=28800 ike 0:Phase1-L2TP:84: proposal id = 0: ike 0:Phase1-L2TP:84: protocol id = ISAKMP: ike 0:Phase1-L2TP:84: trans_id = KEY_IKE. ike 0:Phase1-L2TP:84: encapsulation = IKE/none ike 0:Phase1-L2TP:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:Phase1-L2TP:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Phase1-L2TP:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Phase1-L2TP:84: type=OAKLEY_GROUP, val=1024. ike 0:Phase1-L2TP:84: ISKAMP SA lifetime=28800 ------------------------------------------------------------------------------------------------------- Additionally, when setting the (main mode) Diffie-Hellmann Group to 2 on the server, it works. Set to 14 only, it doesn't (error 789). Set to 2 and 14 it works and the SA-monitoring entry in WF.msc shows 14 being used. I'm also unable to set custom phase 2 keylifetime time in time/kbs. 60min/250000kb must be configured on the server, otherwise Windows 7 aborts phase 2 negotiation (another error 789). Can, and if, how can these settings be adapted? All ideas much appreciated.

Hi, Thank you for your question. I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience. Thank you for your understanding and support. Best Regards, AidenAiden Cao TechNet Community Support

Hi Michael, The issue you get should be a development issue. I suggest that you create a case to Microsoft to meet your requirement. http://support.microsoft.com/select/default.aspx?target=hub&c1=508& Best Regards Scott Xie

Hi Michael, The issue you get should be a development issue. I suggest that you create a case to Microsoft to meet your requirement. http://support.microsoft.com/select/default.aspx?target=hub&c1=508& Best Regards Scott Xie