Could you please include (sanitised if neccessary):
Win2k logs
Pix debugs
relevant PIX config fragments?
I'd be interested in taking a look, if only for my own future reference.
I have the relevant equipment sitting nearby, so in extremis I might be able
to replicate your problem. "Invalid key exchange type" isn't a real error -
it's probably just INVALID-EXCHANGE-TYPE, which refers to the key exchange
algorithm (DH, RSA, etc etc). If you're trying to do interop I'd guess that
you want DH, but that's without looking at any real configs.
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 11 January 2001 6:20
> To: [EMAIL PROTECTED]
> Subject: PIX & Win2K IPSec
>
>
> Hello All,
> I'm having a heck of a time getting the Win2K IPSec
> client (Native
> Win2K) to establish a tunnel with my PIX firewall. Has
> anyone successfully
> done this? Some of the basic facts are:
>
> PIX OS: 5.3(1)
> Pre-Shared Keys (At least for now)
> ESP Integrity=MD5
> ESP Encryption=DES
> Hash=MD5
> Diffie-Hellman Group 1
> Win2K SP1
> Have set up both in-bound and out-bound tunnels, security
> policy for both.
>
> On Win2K side, looking at debug logs, I can see it establish
> the tunnel, go
> (successfully) through phase one negotiation using Oakley
> Main Mode, but
> then, during phase two, it uses Oakley Quick Mode, and the
> log indicates an
> invalid key exchange type. Of course, it then tears down the
> tunnel. MS
> has been mostly unhelpful, and Cisco does not have the quick
> answer either.
> However, they both swear it will work.
>
> Any insight to this problem would be very helpful,
> TIA,
>
> Trevor K. Wilson
> Network Architect
> (i) Structure
> A Level 3 Communications Company
> (480) 775-3125
> (888) 627-9956 Pager
> [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
