Hi Mikael,
I checked with the people doing our IPSEC interoperability
testing. They've done lots of work with Win2k.
The Microsoft Win2k client supports transport and tunnel mode IKE/IPsec and
is fully
interoperable with Cisco IOS.
You do NOT need to use L2TP to interoperate securely with Cisco IOS. The
advantages L2TP provides are user-level authentication (via
PPP-CHAP/PAP/MS-CHAP) and virtual addressing (a biggie for VPN's). The
user-level auth is _in_addition_to the IKE authentication scheme. Also, the
L2TP makes configuration considerably harder. If you are going to do L2TP
& IPSEC, the recommendation is to carefully review the canned policies that
ship with Win2k, and reference the tech tips by Microsoft.
Win2k in tunnel mode can protect a single peer or multiple hosts & subnets
and can terminate multiple tunnels simultaneously. It provides pre-shared
key, certificate, or kerberos authentication for IKE, and supports DES,
3DES, MD5 and SHA hash/encryption algorithms. It's fully configurable via
the IPSec snap-in for Microsoft Management Console.
In general, someone who is not a Microsoft fan at all, nearly raved about it.
But yeah, if the answer had been NO, then it would have sucked. But the
answer is YES, and that doesn't suck. ;)
And yeah, I realize that I'm using Cisco IOS as the test for IPSEC
interoperability. I'm Cisco centric. It's what we've done our testing with.
Hope that helps,
Lisa Napier
Product Security Incident Response Team
Cisco Systems
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
At 02:45 PM 1/17/2000 +0100, Mikael Olsson wrote:
>Hi,
>
>I was previously of the view "Great! IPsec in Win2K - now we won't
>have to install separate clients in all PCs!", but I'm having
>doubts.
>
>(Note: This is not MS-bashing. I'm just a concerned netizen)
>
>Relevant excerpts from
>http://www.microsoft.com/WINDOWS2000/guide/server/solutions/vpn.asp
>
>"Integrating L2TP with IPSec encryption provides a very secure, end-to-end,
>standards-based solution for remote networking clients."
>
>Ehm. Is this just me, or are they glossing over the fact that L2TP is
>not very widely deployed? Okay, it _is_ "standards-based", but we're
>still talking widely deployed here.
>
>"This adherence to Internet standards allows greater interoperability
>across standards-compliant systems, providing user authenticity, privacy,
>and data integrity."
>
>Ehm.. User authentication is not a part if IPsec yet, if my memory
>serves me? (There IS a draft, but that's nowhere near final, right?)
>Is this L2TP magic again?
>
>So, to the core of the question:
>
>Does anyone know if it's possible to run Win2K in IPsec-only mode,
>so that Win2K clients can connect via "normal" IPsec gateways?
>
>and,
>
>If not, doesn't that suck big time? =P
>
>Hmm, no, don't answer the last one if the answer is "yes". Rather,
>if IPsec-only is impossible and you feel that it's great,
>I'd really rather know WHY it's great?
>
>TIA
>
>/Mike
>
>--
>Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
>Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
>Mobile: +46 (0)70 248 00 33
>WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
