Steve,
The scenario is pretty straight forward.
1. Pure IPSec tunnel through the I-net (Setup using the MMC snap in,
yada yada yada)
2. Client to Gateway, PIX is gateway
3. Globally unique address (Client side) to unique address (Outside int
on PIX), NAT to RFC 1918 address space on the inside
4. Have set up both in-bound and out-bound tunnels, specified end
points and sub-nets
Conceptually, quite simple, but...
Still, all other issues aside (routing and such) I still can not get
the tunnel to establish. Again, by viewing the logs, I see phase one of the
tunnel initiation complete successfully, only to fail during phase two. The
error, invalid exchange type, while using Oakley quick mode.
Thank you all for sparing the cycles to help,
Trevor K. Wilson
Network Architect
(i) Structure
(480) 775-3125
(888) 627-9956 pager
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
-----Original Message-----
From: Steve Riley (MCS) [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 12:53 PM
To: Brian Ford; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: PIX & Win2K IPSec
The question was about pure IPSec tunnel mode, not about
L2TP+IPSec.
Officially, we don't support pure IPSec tunnel mode for
client-to-gateway configurations unless the client has an IP
address
that's routable on the network behind the gateway. Pure
IPSec tunnel
mode doesn't have any way of assigning tunnel end-point IP
addresses to
clients, thus the need for L2TP or some other kind of VPN
client shim.
Trevor, what's the scenario for your test case? Does the
client have an
address that's routable on the network behind the PIX? We've
got some
specific interoperability config info I can forward to you.
_______________________________________________________
Steve Riley
Microsoft Communications Consulting in Denver, Colorado
[EMAIL PROTECTED]
+1 303 521-4129 (OLD mobile)
www.microsoft.com/isn/
Applying computer technology is simply finding the right
wrench to pound
in the correct screw.
-----Original Message-----
From: Brian Ford [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 11, 2001 10:16 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: PIX & Win2K IPSec
Trevor,
The PIX OS version you are using supports MS PPTP
connectivity to the
PIX. Configuration details for MS PPTP to PIX 5.3 are
discussed in the
PIX
5.3 release notes.
MS Windows 2000 L2TP / IPSec client to PIX connectivity is
planned for
the
next release of PIX OS.
You can configure the Windows 2000 PC equipped with the
Cisco VPN client
to
connect to the PIX v5.3 using IPSec. We have several
configuration
examples for MS Windows 2000 with Cisco VPN client to PIX
available for
download from Cisco Connection Online
(http://www.cisco.com).
Regards,
Brian
>Date: Thu, 11 Jan 2001 00:49:41 -0700
>From: [EMAIL PROTECTED]
>Subject: PIX & Win2K IPSec
>
>
>Hello All,
> I'm having a heck of a time getting the Win2K
IPSec client
(Native
>Win2K) to establish a tunnel with my PIX firewall. Has
anyone
successfully
>done this? Some of the basic facts are:
>
>
>PIX OS: 5.3(1)
>Pre-Shared Keys (At least for now)
>ESP Integrity=MD5
>ESP Encryption=DES
>Hash=MD5
>Diffie-Hellman Group 1
>Win2K SP1
>Have set up both in-bound and out-bound tunnels, security
policy for
both.
>
>
>On Win2K side, looking at debug logs, I can see it
establish the
tunnel, go
>(successfully) through phase one negotiation using Oakley
Main Mode,
but
>then, during phase two, it uses Oakley Quick Mode, and the
log
indicates an
>invalid key exchange type. Of course, it then tears down
the tunnel.
MS
>has been mostly unhelpful, and Cisco does not have the
quick answer
either.
>However, they both swear it will work.
>
>
>Any insight to this problem would be very helpful,
>TIA,
>
>
>Trevor K. Wilson
>Network Architect
>(i) Structure
>A Level 3 Communications Company
>(480) 775-3125
>(888) 627-9956 Pager
>[EMAIL PROTECTED]
Brian Ford
Consulting Engineer
Cisco Systems Inc.
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
