That would be great. I spent nearly a full day trying to do an original installation with the 3.6 client and thought my configs were wrong. Then I used the 3.5 client and it worked first time.

Adrian

This is the policy config that we ended up with. Unfortunately, I can't remember which policy statement eventually sorted out the problem. Sorry.

Just tested this now - and yes, 3.6 client can authenticate using a certificate (using Microsoft CA Server).

isakmp policy 6 authentication rsa-sig

isakmp policy 6 encryption des

isakmp policy 6 hash md5

isakmp policy 6 group 1

isakmp policy 6 lifetime 86400

isakmp policy 7 authentication rsa-sig

isakmp policy 7 encryption des

isakmp policy 7 hash sha

isakmp policy 7 group 1

isakmp policy 7 lifetime 86400

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash sha

isakmp policy 15 group 2

isakmp policy 15 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Regards, Barry

Thanks,

It looks like the later client would not let me use DH Group2. If I set it to DH Group 1 it connects. The older client works on both.

I found you post to Cisco Newsgroup regarding the MS CA with PIX VPN, do u managed to deploy this solution in your environment? I have a lot of error “ISAKMP: encryption... What? 7?" on the debug when i connect from a 3.63 client. i managed to enroll a cert for my pix with standalone or entreprise MS CA. but the client still not managed to connect.