The sad news here folks is the PIX does not support L2PT. You can get it
working on a Cisco router which is more flexible. You can make it work with
PPTP but I find it has performance problems. The VPN client Brian Ford
talked about is still in beta and they said it should be in final release in
late 1st quarter or later. It will work against the Cisco router, PIX and
VPN 3000 concentrator. In the future they plan to have one that works with
the VPN 5000. Also as Brian said the next major software upgrade should
include support for L2TP will be available.
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 11, 2001 4:10 PM
To: '[EMAIL PROTECTED]'
Cc: [EMAIL PROTECTED]
Subject: RE: PIX & Win2K IPSec
Could you please include (sanitised if neccessary):
Win2k logs
Pix debugs
relevant PIX config fragments?
I'd be interested in taking a look, if only for my own future reference.
I have the relevant equipment sitting nearby, so in extremis I might be able
to replicate your problem. "Invalid key exchange type" isn't a real error -
it's probably just INVALID-EXCHANGE-TYPE, which refers to the key exchange
algorithm (DH, RSA, etc etc). If you're trying to do interop I'd guess that
you want DH, but that's without looking at any real configs.
Cheers,
--
Ben Nagy
Marconi Services
Network Integration Specialist
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, 11 January 2001 6:20
> To: [EMAIL PROTECTED]
> Subject: PIX & Win2K IPSec
>
>
> Hello All,
> I'm having a heck of a time getting the Win2K IPSec
> client (Native
> Win2K) to establish a tunnel with my PIX firewall. Has
> anyone successfully
> done this? Some of the basic facts are:
>
> PIX OS: 5.3(1)
> Pre-Shared Keys (At least for now)
> ESP Integrity=MD5
> ESP Encryption=DES
> Hash=MD5
> Diffie-Hellman Group 1
> Win2K SP1
> Have set up both in-bound and out-bound tunnels, security
> policy for both.
>
> On Win2K side, looking at debug logs, I can see it establish
> the tunnel, go
> (successfully) through phase one negotiation using Oakley
> Main Mode, but
> then, during phase two, it uses Oakley Quick Mode, and the
> log indicates an
> invalid key exchange type. Of course, it then tears down the
> tunnel. MS
> has been mostly unhelpful, and Cisco does not have the quick
> answer either.
> However, they both swear it will work.
>
> Any insight to this problem would be very helpful,
> TIA,
>
> Trevor K. Wilson
> Network Architect
> (i) Structure
> A Level 3 Communications Company
> (480) 775-3125
> (888) 627-9956 Pager
> [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
