Hello, I've set up a L2TP/IPsec VPN Connection on 2-3 7 Ultimate x64 clients for testing. Establishing connections works fine with 3DES-SHA1 in the server's phase 1 proposal. Is it possible to get Windows 7 to send a phase1 proposal that doesn't look exactly like below? I'd like to set the algorithms proposed by the client used for both phases myself and have tried to edit the WFAS IPsec settings, but they don't appear to have any influence whatsoever in this case. (only working for policy based ipsec-only connections?) ------------------------------------------------------------------------------------------------------- ike 0:Phase1-L2TP:84: incoming proposal: ike 0:Phase1-L2TP:84: proposal id = 0: ike 0:Phase1-L2TP:84: protocol id = ISAKMP: ike 0:Phase1-L2TP:84: trans_id = KEY_IKE. ike 0:Phase1-L2TP:84: encapsulation = IKE/none ike 0:Phase1-L2TP:84: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC. ike 0:Phase1-L2TP:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Phase1-L2TP:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Phase1-L2TP:84: type=OAKLEY_GROUP, val=2048. ike 0:Phase1-L2TP:84: ISKAMP SA lifetime=28800 ike 0:Phase1-L2TP:84: proposal id = 0: ike 0:Phase1-L2TP:84: protocol id = ISAKMP: ike 0:Phase1-L2TP:84: trans_id = KEY_IKE. ike 0:Phase1-L2TP:84: encapsulation = IKE/none ike 0:Phase1-L2TP:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:Phase1-L2TP:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Phase1-L2TP:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Phase1-L2TP:84: type=OAKLEY_GROUP, val=2048. ike 0:Phase1-L2TP:84: ISKAMP SA lifetime=28800 ike 0:Phase1-L2TP:84: proposal id = 0: ike 0:Phase1-L2TP:84: protocol id = ISAKMP: ike 0:Phase1-L2TP:84: trans_id = KEY_IKE. ike 0:Phase1-L2TP:84: encapsulation = IKE/none ike 0:Phase1-L2TP:84: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC. ike 0:Phase1-L2TP:84: type=OAKLEY_HASH_ALG, val=SHA. ike 0:Phase1-L2TP:84: type=AUTH_METHOD, val=PRESHARED_KEY. ike 0:Phase1-L2TP:84: type=OAKLEY_GROUP, val=1024. ike 0:Phase1-L2TP:84: ISKAMP SA lifetime=28800 ------------------------------------------------------------------------------------------------------- Additionally, when setting the Diffie-Hellmann Group to 2 on the server, it works. Set to 14, it doesn't (error 789). Set to 2 and 14 it works and the SA-entry in WF.msc shows 14 being used. How can these settings be adapted? I'm also unable to set custom phase 2 keylifetime time in time/kbs. 60min/250000kb must be configured on the server, otherwise Windows 7 aborts phase 2 negotiation (another error 789). The WFAS dialogs say 60min/100000kb. All ideas much appreciated.