Yep, I used practically the exact config given for the VPN 3000 client
(none of the vpdn or isakmp commands) and it works. Sometimes.
I'm still trying to figure out why I get malformed_payload errors and
dropped connections more than I get good connections, but I tend to
think that it's more a problem somewhere in the middle (overload cable
segment, someone else's misconfigured router, etc.) than an issue with
anything I've done.
It has always worked from a box very close (1 hop) to the PIX, and it
has worked a total of three times from here (home) in the two weeks
since I set it up. I'm going to install the client on a different
machine to see if that has anything to do with it, but I'm not
hopeful.
Good luck!!
JR
-----Original Message-----
From: John Ridout <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Friday, June 15, 2001 4:40 AM
Subject: RE: [Leaf-user] VPN pre-install question
>Hi,
>
>Thanks for the link, it seems PIX supports something called
>dynamic crypto maps which allow for IPSec connections to be
>initiated by a client with a dynamic IP address.
>
>> As Michael says, when using Cisco's VPN client at least, the
>> PIX assigns (from a pool configured on it) an IP address to the
remote
>> client. I use 172.17 addresses, but you can use anything.
>> You then need to allow that range through the PIX to your protected
>> network. Cisco has some good docs on their site on how to do
>> this if you're unfamiliar with the ipsec commands. Takes a total
of
>> about 10 commands on the pix to allow ipsec connections. Much
>> easier than I thought.
>>
>> Are you planning on connecting to the PIX from an LRP box, or
>> through an LRP box? (Or neither) I have no experience attaching
>> FreeS/WAN to a PIX, but I doubt that a dynamic address would
>> work well. Tunnelling through an LRP box, however, is a
>> piece of cake,
>> and handles dynamic addressing and NAT quite handily.
>>
>> Cisco docs for VPN Client configs:
>> http://www.cisco.com/warp/public/110/pptpcrypto3.html
>>
>> Jonathan Rawson
>>
>> -----Original Message-----
>> From: Michael Leone <[EMAIL PROTECTED]>
>> To: [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
>> Date: Thursday, June 14, 2001 2:34 PM
>> Subject: Re: [Leaf-user] VPN pre-install question
>>
>>
>> >> One of my clients has just bought a Cisco PIX firewall and
>> I will be
>> >> attempting to set up a VPN connection to them. Do you know
>> if the PIX
>> >> firewall can accept an IPSEC connection from a dynamic IP
address.
>> >> I have read that FreeSWAN can, I know that Checkpoint and
>> W2K can't.
>> >> I don't want to spend too much time attempting the impossible.
>> >
>> >I can tell you that, when I was testing my PIX, we dialed a
>> laptop into a
>> >local ISP (and got a dynamic IP), and used the Cisco IPSec
>> software to
>> >connect to our Pix with no problem.
>> >
>> >When you configure the Pix, you will have (probably) an RFC
>> 1918 address on
>> >the internal interface (i.e., 192.168.1.x). You would then
>> also assign a
>> >DIFFERENT RFC 1918 address to the incoming IPSec connection (we
used
>> >172.16.x.x); the incoming IPSec is then assigned this 2nd
>> address. The Pix
>> >will automatically route between them.
>> >
>> >
>> >
>> >
>> >_______________________________________________
>> >Leaf-user mailing list
>> >[EMAIL PROTECTED]
>> >http://lists.sourceforge.net/lists/listinfo/leaf-user
>>
>>
>>
>> _______________________________________________
>> Leaf-user mailing list
>> [EMAIL PROTECTED]
>> http://lists.sourceforge.net/lists/listinfo/leaf-user
>>
>
>_______________________________________________
>Leaf-user mailing list
>[EMAIL PROTECTED]
>http://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
