The question was about pure IPSec tunnel mode, not about L2TP+IPSec.
Officially, we don't support pure IPSec tunnel mode for
client-to-gateway configurations unless the client has an IP address
that's routable on the network behind the gateway. Pure IPSec tunnel
mode doesn't have any way of assigning tunnel end-point IP addresses to
clients, thus the need for L2TP or some other kind of VPN client shim.
Trevor, what's the scenario for your test case? Does the client have an
address that's routable on the network behind the PIX? We've got some
specific interoperability config info I can forward to you.
_______________________________________________________
Steve Riley
Microsoft Communications Consulting in Denver, Colorado
[EMAIL PROTECTED]
+1 303 521-4129 (OLD mobile)
www.microsoft.com/isn/
Applying computer technology is simply finding the right wrench to pound
in the correct screw.
-----Original Message-----
From: Brian Ford [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 11, 2001 10:16 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: PIX & Win2K IPSec
Trevor,
The PIX OS version you are using supports MS PPTP connectivity to the
PIX. Configuration details for MS PPTP to PIX 5.3 are discussed in the
PIX
5.3 release notes.
MS Windows 2000 L2TP / IPSec client to PIX connectivity is planned for
the
next release of PIX OS.
You can configure the Windows 2000 PC equipped with the Cisco VPN client
to
connect to the PIX v5.3 using IPSec. We have several configuration
examples for MS Windows 2000 with Cisco VPN client to PIX available for
download from Cisco Connection Online (http://www.cisco.com).
Regards,
Brian
>Date: Thu, 11 Jan 2001 00:49:41 -0700
>From: [EMAIL PROTECTED]
>Subject: PIX & Win2K IPSec
>
>
>Hello All,
> I'm having a heck of a time getting the Win2K IPSec client
(Native
>Win2K) to establish a tunnel with my PIX firewall. Has anyone
successfully
>done this? Some of the basic facts are:
>
>
>PIX OS: 5.3(1)
>Pre-Shared Keys (At least for now)
>ESP Integrity=MD5
>ESP Encryption=DES
>Hash=MD5
>Diffie-Hellman Group 1
>Win2K SP1
>Have set up both in-bound and out-bound tunnels, security policy for
both.
>
>
>On Win2K side, looking at debug logs, I can see it establish the
tunnel, go
>(successfully) through phase one negotiation using Oakley Main Mode,
but
>then, during phase two, it uses Oakley Quick Mode, and the log
indicates an
>invalid key exchange type. Of course, it then tears down the tunnel.
MS
>has been mostly unhelpful, and Cisco does not have the quick answer
either.
>However, they both swear it will work.
>
>
>Any insight to this problem would be very helpful,
>TIA,
>
>
>Trevor K. Wilson
>Network Architect
>(i) Structure
>A Level 3 Communications Company
>(480) 775-3125
>(888) 627-9956 Pager
>[EMAIL PROTECTED]
Brian Ford
Consulting Engineer
Cisco Systems Inc.
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
