cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3341
Views
0
Helpful
9
Replies

PIX and Win2K

jkujath
Level 1
Level 1

PIX and Win2K question:

From reading previous posts I am still unclear as to VPN client support in Win2K working with the PIX firewall w/ IPSEC.

From what I understand:

1) The Cisco Secure VPN client does not work in Win2K. No future upgrade of the client to support Win2K is planned.

2) The Win2K VPN client was co-developed by Cisco and Microsoft. However, this built-in client does not work with the Cisco PIX w/ IPSEC.

Based on those 2 above statements, I have the following questions:

1) Are the above 2 statements correct?

2) In regards to statement #2, I'm assuming this is still true for the latest 5.2(1) PIX software release? I was under the impression that 5.2(x) would support the built in Win2K VPN client?

3) When will the PIX support a VPN client running on Win2K?

4) What options to current Cisco customers have who are moving to Windows 2000 as their standard desktop operating system and are currently using the Cisco PIX firewall w/ IPSEC and the Cisco Secure VPN client?

Thank you!

Jeff

9 Replies 9

bob.short
Level 1
Level 1

CiscoSecure PIX Firewall does not currently support L2TP over IPsec, which is Win2K default behavior for IPsec. We are expecting to provide this support by release 5.3.x however no release date is available at this time. A Win2K compatible client should be available by the end of 2000 or early 2001.

In the meantime, to deploy Windows 2000, a workaround would be to use Microsoft’s PPTP protocol for the Win2K clients which will run in parallel with IPsec users and the CiscoSecure VPN client.

Thanks for the reply... but I now have a couple more questions.

1) Why would the Cisco PIX firewall not support L2TP over IPsec with Win2K when Cisco co-developed the built-in VPN client in Win2K? Especially since Win2K has been out for quite some time now?

2) Using PPTP as a workaround? That workaround is less secure and more vulnerable than IPSEC. I'm not willing to have clients take that risk, nor do I think they'll want to use a less-secure VPN method to transfer their sensative data.

This alienates Cisco customers who have implemented the Cisco PIX firewall and use the Cisco Secure VPN client. With Cisco not having their own Win2K VPN client by now and/or supporting the Win2K VPN client with this recent version of PIX software, 5.2(1), to me is inexcusable.

Also, there should be documentation on CCO regarding Cisco customers who wish to migrate to Windows 2000 and the problems they'll have with using the PIX and VPN (IPSEC).

Thanks,

Jeff

I also believe this is inexcusable. Very well put, Jeff.

However, the PPTP workaround might not be so bad since it is very easy to setup on both ends (Win2k and PIX), does work with a current PIX configuration using Win95/98/NT4 VPNClients, and is not totally insecure.

The workaround I generally suggest is PPTP/MPPE and it can be made secure by doing the following:

1) Using ONLY MS-CHAP v2. Otherwise, a rollback attack is easy to initiate. Set this under both Win2k and on the PIX.

2) Turn on MPPE

3) Choose highly aggressive passwords that are at least 14 characters long and include two of each: lowercase letter, uppercase letter, number, number symbol !@#$%^&*(), and other symbol `~-_=+[{]};:'",<.>/?\| and no words in a dictionary

4) (optional): use One-Time passwords instead of the above strategy

Visit http://www.counterpane.com/pptp.html for futher details.

And I'm sure that Cisco will release the new VPNClient soon.

I am wondering if people who have NSA support using PIX's are getting special cuts of PIX code that include L2TP support while the rest of us suffer ;>

I have read the PIX does not support MS-CHAP v2 only v1. PPTP would only be a workaround with v2. Is it possible with the PIX ??

I have tested Netscreen's 3-DES Safe Net VPN Client and it is working perfectly. SO I would say any Safe Net Client that supports Windows 2000 (the latest) is safe to buy. You can either go with Safe Net's or if you use Netscreen or Sonicwall their client will work just fine. I am currently using Netscreen's till Cisco realeases the new OEM version of Safe net's client.

There are only a handful of VPN Clients out there. Safe Net is the one that Cisco uses (Safe net logo in the upper right hand of the Client GUI). Safe Net has put out a Windows2000 version of their client, unfortunately Cisco has not released a new version of this product. You can howerver purchase Safe Net's from them. I am going to be testing this out today to ensure it does in fact work and I will post on how it goes. I believe Sonicwall's VPN Client is also Safe Net's and they have a free download of theirs if you want to try it out also.

I have purchased the Safe Net VPN Client that works with W2K. It seems like it's working ok both with PIX and IOS firewall

so the new Safe Net VPN client is working with W2k, do we need to do someth'n extra on the PIX firewall? or on the client ..or just the upgrade of the client work......where can i get the new vpn client ......wat is there website.......thanks

I’ve heard the new Safe Net VPN client works with the PIX. Once the Cisco client comes out it is suppose to be much better and it’s multi-platform. If you already have the software from Cisco you’ll get an upgrade package for the new client when it’s released. If you’ve waited this long I’d suggest waiting it out for Cisco’s Universal Client. Just my two cents

Review Cisco Networking for a $25 gift card