Hi, Can you share the document with me also for L2TP with IPsec. But the answer to question that whether built in win2k client will support PPTP/IPsec with PIX or not is still not clear??? It failed for me as well when i tried
regards Madhur -----Original Message----- From: Enno Rey [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 01, 2002 9:00 PM To: Gal Binderman Cc: [EMAIL PROTECTED] Subject: Re: VPN connectin (PPTP) to a PIX 520 using win2k Hi, > However, I was told that I can use the windows 2000 built in VPN client to > support VPN encrypted connection to the PIX firewall. This is true, but I would rather use L2TP/IPsec than PPTP/IPsec [PPTP being insecure, proprietary etc.]. I wrote a paper about this [Win2K to cisco router via L2TP/IPsec] that I'll send you in a private mail. Given you obviously invested quite a lot time into get it running with PPTP I'll try to help you there... > However, I can't seem to be able to connect to the LAN that sits behind the > PIX, although the firewall contains an access list that permits it. > Telneting to one of my unix's results in a tiome out, and so does any other > browsing attempt. Please provide the relevant parts of your config [after erasing usernames, IPs and things], i.e. IPsec configuration, NAT config, access-lists. Please provide output of 'debug crypto ipsec' + 'debug crypto isakmp' on the PIXs side, and from ipsec-debugging on W2K (how to enable this is described in the paper mentioned above). Do you see anything in the PIXs logfile [debugging level]? Always remember the flow of packet an the access-lists involved... e.g. a packet coming back from a box inside the LAN has to pass the IP access-list, the NAT access-list [packet must _not_ be handled by NAT] and the crypto access-list. Do they all match in a correct manner? > Also, I don't know if the VPN session between the win2k client and the PIX > is encrypted (IPSEC), and if he is - on which level? On the level specified by you IPsec config, maybe DES [56-bit], or 3DES [112-bit]. You should always use the latter one [needs a separate license]. > Any solution? Possibly, but need more info... A happy new year to all list members, Enno Rey [EMAIL PROTECTED] --- www.security-academy.de PGP 74C0 C7E1 3875 E4EB 9B75 8B9D 5E2D 3178 685B F222 _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
