We allow IPSEC over L2TP connections to our PIX-525 for remote VPN. The current transform set in place is esp-3des with esp-md5-hmac. I'd prefer AES, but we have to allow connectivity to native WinXP clients for our users, (this obviously means we are also in Transport Mode.) Am I already at the strongest encryption that WinXP will understand without installing Cisco's VPN client?
Also, do I have to leave MSCHAP enabled for authentication to meet the above reqwuirements? (Authentication is done against an internal Win2003 IAS server.) I'd prefer not to, but is CHAP considered any better?
I think default algorithm for Windows XP Service Pack 1 and Windows Server 2003 is Advanced Encryption Standard (AES) using a 256-bit key. I think you should better leave MSCHAP enabled for authentication.
Do you mean L2TP using IpSec as encryption method? WinXP could be assigned with preconfigured IPSec policies with local IP Security Policies on Local Computer from mmc. From Security methods tab, you can custom your esp transform set.
Also you need to configure no l2tp tunnel authentication as you have chosen IPSec.
PPP needs chap to negoticate a tunnel so I think it's needed here. But I had trouble in my case to use other authentication lists like radius or tacacs. So if you are using an external authentication lists could you share with us?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...