Thanks for the reply... but I now have a couple more questions.

1) Why would the Cisco PIX firewall not support L2TP over IPsec with Win2K when Cisco co-developed the built-in VPN client in Win2K? Especially since Win2K has been out for quite some time now?

2) Using PPTP as a workaround? That workaround is less secure and more vulnerable than IPSEC. I'm not willing to have clients take that risk, nor do I think they'll want to use a less-secure VPN method to transfer their sensative data.

This alienates Cisco customers who have implemented the Cisco PIX firewall and use the Cisco Secure VPN client. With Cisco not having their own Win2K VPN client by now and/or supporting the Win2K VPN client with this recent version of PIX software, 5.2(1), to me is inexcusable.

Also, there should be documentation on CCO regarding Cisco customers who wish to migrate to Windows 2000 and the problems they'll have with using the PIX and VPN (IPSEC).

Thanks,

Jeff

I also believe this is inexcusable. Very well put, Jeff.

However, the PPTP workaround might not be so bad since it is very easy to setup on both ends (Win2k and PIX), does work with a current PIX configuration using Win95/98/NT4 VPNClients, and is not totally insecure.

The workaround I generally suggest is PPTP/MPPE and it can be made secure by doing the following:

1) Using ONLY MS-CHAP v2. Otherwise, a rollback attack is easy to initiate. Set this under both Win2k and on the PIX.

2) Turn on MPPE

3) Choose highly aggressive passwords that are at least 14 characters long and include two of each: lowercase letter, uppercase letter, number, number symbol !@#$%^&*(), and other symbol `~-_=+[{]};:'",<.>/?\| and no words in a dictionary

4) (optional): use One-Time passwords instead of the above strategy

Visit http://www.counterpane.com/pptp.html for futher details.

And I'm sure that Cisco will release the new VPNClient soon.

I am wondering if people who have NSA support using PIX's are getting special cuts of PIX code that include L2TP support while the rest of us suffer ;>

I have read the PIX does not support MS-CHAP v2 only v1. PPTP would only be a workaround with v2. Is it possible with the PIX ??

I have tested Netscreen's 3-DES Safe Net VPN Client and it is working perfectly. SO I would say any Safe Net Client that supports Windows 2000 (the latest) is safe to buy. You can either go with Safe Net's or if you use Netscreen or Sonicwall their client will work just fine. I am currently using Netscreen's till Cisco realeases the new OEM version of Safe net's client.

There are only a handful of VPN Clients out there. Safe Net is the one that Cisco uses (Safe net logo in the upper right hand of the Client GUI). Safe Net has put out a Windows2000 version of their client, unfortunately Cisco has not released a new version of this product. You can howerver purchase Safe Net's from them. I am going to be testing this out today to ensure it does in fact work and I will post on how it goes. I believe Sonicwall's VPN Client is also Safe Net's and they have a free download of theirs if you want to try it out also.

I have purchased the Safe Net VPN Client that works with W2K. It seems like it's working ok both with PIX and IOS firewall

so the new Safe Net VPN client is working with W2k, do we need to do someth'n extra on the PIX firewall? or on the client ..or just the upgrade of the client work......where can i get the new vpn client ......wat is there website.......thanks

I’ve heard the new Safe Net VPN client works with the PIX. Once the Cisco client comes out it is suppose to be much better and it’s multi-platform. If you already have the software from Cisco you’ll get an upgrade package for the new client when it’s released. If you’ve waited this long I’d suggest waiting it out for Cisco’s Universal Client. Just my two cents