Re: PIX IPSec to Win2K L2TP preshared key and NAT-T
Thak for the idea, but will not work because of the NAT and DHCP assignment by the ISP.
The no-config-mode overrides the mode config feature, to stop the PIX sending an IP address, DNS etc to the remote PC when this has been configured on the map (ie crypto map client configuration address). I need this as the ISP address is bogus, so
I must send an address to the remote client PC.
I have done some more research, and it appears that when Win2K completes phase 1, and starts phase 2 and after validating the pre-shared key, it is sending an ID packet with an id_type of 2 (id_fqdn). ie, instead of sending the IPV4_Address like it did in phase 1, it is sending a name like "myhost.com.au" instead.
As far as I can tell, it shouldn't be doing this. The same problem has been seen by others including Frees/Wan users. It also appears to be contrary to the RFCs.
So, is there some way to stop Win2K doing this, or to tell the PIX to deal with it? Is the PIX wrong or Win2K wrong (guess what my bet is on).
It seems to me the address being assigned by L2TP isn't being translated to the inside network. I can authencate my L2TP connection and kick on ISAKMP and IPsec and get what looks like a tunnel built. But I can not ping or access internal hosts.
Few things I found with XP is to use IP Security Policy manager to create an IPsec policy to filter for 1701(L2TP) which kicks on 3des-sha for the AH-ESP and PFS. The VPN settings themselves should have L2TP dialin set(not auto), no encryption set what so ever(important) and do not set the shared key in the VPN connection settings or you will have issues for sure.
I know Cisco's examples for XP show them using the shared key setting in the VPN connection but this will cause the crypto settings to be set differently then the ones you assigned via the ip sec pol man.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :