Any speculation if this native IPSec stuff works equally well against a Cisco PIX as it does against a 3000?
Frank -----Original Message----- From: Julian Y. Koh [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 22, 2006 2:59 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Windows and Mac native IPSec clients/Nortel VPN -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 08:00 -0600 02/20/2006, Julian Y. Koh wrote: >This isn't totally helpful for you since we use Cisco 3000 >concentrators, but the built-in L2TP/IPSec clients on Windows and Mac >OS X work fine with those devices. The only caveat is that the Mac OS >X L2TP/IPSec client doesn't work through NAT with Cisco 3000s unless >you update your client to Mac OS X 10.4.5. I've been asking for this >compatibility for well over a year from both Cisco and Apple. It was >the last stumbling block in our effort to get rid of PPTP. A bunch of people have asked for more details about our Cisco concentrator and client setup. Our Windows users have been doing L2TP/IPSec since the summer. Instructions are at <http://www.it.northwestern.edu/oncampus/vpn/native/native-config-win.html>. Here are the old instructions that I wrote up for Mac OS X 10.3.x; they should still be mostly valid. It looks like 10.4.x has some new options for "VPN on demand", so that it will only bring up the VPN connection when you connect to certain hosts. Probably more complex than we want to make things for our users, but it might be fun to play around with on an individual basis to see how it works. > >1.) Mac OS X 10.3.x > > Open Internet Connect > Select "New VPN Connection" under the File menu. > In the window that appears, select "L2TP over IPSec", click Continue. > From the Configuration pop-up menu, select "Edit Configurations..." > Enter whatever you want for "Description" > Enter <insert your VPN address here> for "Server Address" > Enter your netid for "Account Name:" > Select "Use Password" for "Authentication", and enter your netid > password if you want it saved in your Keychain. > Enter <insert your preshared key here> for "Shared Secret" > Click OK; you should be back at the main Internet Connect screen. > Click "Connect" to attempt a connection. > If you have a Connection Log window open, you should see something >like >this: > >==================== >Mon Apr 11 17:25:31 2005 : L2TP: starting racoon... >Mon Apr 11 17:25:34 2005 : L2TP connecting to server <name>... >Mon Apr 11 17:25:38 2005 : L2TP connection established. >Mon Apr 11 17:25:38 2005 : Using interface ppp0 Mon Apr 11 17:25:38 >2005 : Connect: ppp0 <--> socket[34:18] Mon Apr 11 17:25:41 2005 : acsp >resetci called Mon Apr 11 17:25:44 2005 : local IP address <blah> Mon >Apr 11 17:25:44 2005 : remote IP address <blah> >Mon Apr 11 17:25:44 2005 : primary DNS address <blah> >Mon Apr 11 17:25:44 2005 : secondary DNS address <blah> Mon Apr 11 >17:25:48 2005 : Terminating on signal 15. >Mon Apr 11 17:25:48 2005 : Connection terminated. >Mon Apr 11 17:25:48 2005 : Connect time 0.2 minutes. >Mon Apr 11 17:25:48 2005 : Sent 901 bytes, received 1645 bytes. >Mon Apr 11 17:25:48 2005 : L2TP disconnecting... >Mon Apr 11 17:25:49 2005 : L2TP disconnected ======================= As far as the concentrator config is concerned, I don't know if I'll hit all the necessary points, but here goes. We're using RADIUS authentication, with an Active Directory backend, IP addresses assigned by the RADIUS server. Concentrator software version 4.1.7.H. Configuration->User Management->Base Group->General Tab Check box for L2TP over IPSec in Tunneling Protocols Configuration->User Management->Base Group->IPSec Tab IPSec SA = ESP-L2TP-TRANSPORT (see below) Tunnel Type = Remote Access Default Preshared Key = <insert your preshared key here> Configuration->User Management->Base Group->Client Config Tab Check box for IPSec over UDP IPSec over UDP Port = 10000 Configuration->User Management->Base Group->PPTP/L2TP Tab L2TP Authentication Protocols = MSCHAPv2 Uncheck all boxes for L2TP Encryption and Compression Configuration->Policy Management->Traffic Management->SAs Modify/create IPSec SA named ESP-L2TP-TRANSPORT Inheritance: From Rule Authentication Algorithm: ESP/MD5/HMAC-128 Encryption Algorithm: 3DES-168 Encapsulation Mode: Transport Perfect Forward Secrecy: Disabled Lifetime Measurement: Time Data Lifetime: 10000 Time Lifetime: 3600 IKE Peer: 0.0.0.0 Negotiation Mode: Main Digital Certificate: None (Use Preshared Keys) Certificate Transmission: Identity Certificate only IKE Proposal: CiscoVPNClient-3DES-MD5 Configuration->Tunneling and Security->L2TP Everything here should just be default, but: Check box for "Enabled" Max Tunnel Idle Time: 60 seconds Control Window Size: 4 packets Control Retransmit Interval: 1 second Control Retransmit Limit: 4 Max Tunnels: 0 Max Sessions/Tunnel: 0 Hello Interval: 60 seconds Configuration->Tunneling and Security->IPSec->IKE Proposals Modify/Create/Activate IKE Proposal named CISCOVPNClient-3DES-MD5 Authentication Mode: Preshared Keys (XAUTH) Authentication Algorithm: MD5/HMAC-128 Encryption Algorithm: 3DES-168 Diffie-Hellman Group: Group 2 (1024-bits) Lifetime Measurement: Time Data Lifetime: 10000 Time Lifetime: 86400 -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.0.4 (Build 4042) Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQ/zQjw5UB5zJHgFjEQKAbgCbB9+nANxtctQ5wVw3Sc1P9u2ulj8Anjj3 nNKgOkf3oxpc/mMuV+MU6swc =Q7DA -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:[EMAIL PROTECTED]> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
