Win2k and PIX IPSec?
Has anyone sucessfully set up an IPSec tunnel between a Windows 2000 client running the native Win2k IPSec stack and a PIX? If so, do you have a sample config? I'm able to establish an SA between the PIX and the Win2k box, but I'm unable to pass traffic. For instance, a ping from inside the PIX to the Win2k box outside the PIX results in an SA being established, but the packets are not passed, and a debug shows a "check crypto map deny". The access lists for nat 0 and for the encrypted traffic are identical and applied. Pix code 5.2.x. Thanks Ben -- Ben Hockenhull [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Win2k and PIX IPSec?
I've had that error before. It was between 2 PIX's though. The fix ( on both sides ) was to do a "clear crypto ipsec sa" and "clear crypto isakmp sa". And then it worked. It was like the SA's got outa sync or something. Or one side had a valid SA and the other didn't. On a side note - have you tried to use 'pl-compatable' instead of NAT 0? Pl-compat bypasses all translation and conduit requirements, effectivly terminating the tunnel on the inside interface or whichever interface the traffic is destined for. Kenny "Ben Hockenhull" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Has anyone sucessfully set up an IPSec tunnel between a Windows 2000 client running the native Win2k IPSec stack and a PIX? If so, do you have a sample config? I'm able to establish an SA between the PIX and the Win2k box, but I'm unable to pass traffic. For instance, a ping from inside the PIX to the Win2k box outside the PIX results in an SA being established, but the packets are not passed, and a debug shows a "check crypto map deny". The access lists for nat 0 and for the encrypted traffic are identical and applied. Pix code 5.2.x. Thanks Ben -- Ben Hockenhull [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Win2k and PIX IPSec?
I have not done it in awhile, and I don't have a config. However, when I did do it you had to setup an l2tp tunnel first between win2k and the router and then run ipsec through the l2tp tunnel. -Original Message- From: Ben Hockenhull [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 10:57 AM To: [EMAIL PROTECTED] Subject: Win2k and PIX IPSec? Has anyone sucessfully set up an IPSec tunnel between a Windows 2000 client running the native Win2k IPSec stack and a PIX? If so, do you have a sample config? I'm able to establish an SA between the PIX and the Win2k box, but I'm unable to pass traffic. For instance, a ping from inside the PIX to the Win2k box outside the PIX results in an SA being established, but the packets are not passed, and a debug shows a "check crypto map deny". The access lists for nat 0 and for the encrypted traffic are identical and applied. Pix code 5.2.x. Thanks Ben -- Ben Hockenhull [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]