I have configured my laptop by the XP examples on cisco's site for a concentrator(no PIX examples)
I did have it failing before at invalid proposal because the IP address of SRC wasn't in any ACL's. Obviously I was trying to get around this because I need a pure dynamic setup, the only known endpoint will be the PIX itself.
How did you get from your original "invalid transform proposal flags" to this point?
I seem to be exactly where you were. Using XP client to aceess Pix 501 and getting the invalid flags (0x200) regardless of the which acceptable transform-set is configured. The common error seems to have to do with tunnel vs transport mode I already have my transform sets configured for transport mode.
From what I can tell, the ip vpdn pool is in the same range as the dest. network in the acl that defines interesting traffic. The pix sees the pool as internal and I believe that it will process the packet differently than if the address were not an internal assigned one.
I would try to assign a different pool for l2tp traffic that is still routable to the pix (make sure that that is the case) and is different from the crypto map acl. Even if that is done, from what I understand about windows ipsec and l2tp, transport mode is used, but in some cases the pix/ios ipsec handling is better with tunnel mode due to the fact that one end is specing an address and wants to tell the other, so tunnel mode is used to create new ip headers and trailers so that the pix/ios router can tell host 184.108.40.206 on the internet that you have a virtual adapeter interface address of 10.3.4.5.
Even if you get L2TP to work, it is useless without ipsec or some other encryption, in the case of windows 2000/xp and linux/solaris, the only way I know to have true dynamic clients, other than pptp, is to use the cisco vpn client.
By the way, the pix 6.3 code can use 128-bit mppe encryption for local accounts, and the new concentrator's from cisco can use ssl-based vpns that do not require a vpn client.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...