W2K vpn client to Cisco 3005 VPN concentrator

Discussion in 'Cisco' started by srp336@getcoactive.com, Jun 20, 2005.

  1. Guest

    I've got a project to configure a Cisco 3005 vpn concentrator to allow
    connections from the w2k builtin vpn client.

    The concentrator currently has users connecting via the Cisco client
    using IPSec, and authenticating against an Active Directory server.

    The way I understand things is, PPTP is supported, but only without
    encryption when authentication against Active Directory. And the only
    other option is L2TP/IPSec, which is mutually exclusive with the
    IPsec-only that's currently in use. (Have I got this all correct?)

    So, the only option open here is PPTP without encryption, correct?

    Is there any way to get the w2k client to do l2tp without ipsec?

    Thanks!
    , Jun 20, 2005
    #1
    1. Advertising

  2. Guest

    Yes, you can connect to a Cisco VPN concentrator using L2TP alone or
    L2TP/IPsec.

    By default, W2K creates an IPsec policy for L2TP that relies on digital
    signature (digital certificate) authentication. So, if you want to
    configure either L2TP alone or L2TP/IPsec with pre-shared key
    authentication then you need to modify the registry.

    Take a look at this article for more:

    http://support.microsoft.com/kb/240262


    By creating the 'ProhibitIpSec' value, and setting the value to '1' (as
    discussed in the first part of the article), you actually disable the
    automatic creation of an IPsec policy (using digitial signature auth)
    for L2TP. So, if you don't want to use IPsec with L2TP, you can stop
    there, without following the instructions in the rest of the article
    (although you should consider the security implications!).


    Hope that helps,

    Mark

    CCIE#6280 / CCSI#21051 / JNICS#121 / etc.

    Author: www.ciscopress.com/1587051044
    , Jun 21, 2005
    #2
    1. Advertising

  3. Guest

    I've gotten l2tp working with the w2k client and cisco vpn 3005, but it
    looks like the same problem I was having with pptp.

    Is there no way to connect with pptp or l2tp to a 3005 concentrator
    with encryption, when that concentrator is authenticating against an
    Active Directory server?
    , Jun 21, 2005
    #3
  4. Re[2]: W2K vpn client to Cisco 3005 VPN concentrator

    Hello mark,

    Tuesday, June 21, 2005, 4:50:41 PM, you wrote:

    [skip]
    > http://support.microsoft.com/kb/240262
    > By creating the 'ProhibitIpSec' value, and setting the value to '1' (as

    [skip]

    Can the same problem be solved under Windows XP and Windows 2003?
    Key 'ProhibitIpSec' does not work and I found no solution on MSDN site.

    --
    Best regards,
    CiscoPress.ru
    Anatoliy mailto:.
    Anatoliy Mysnyk, Jun 21, 2005
    #4
  5. Scott Lowe Guest

    On 2005-06-21 14:41:11 -0400, said:

    > I've gotten l2tp working with the w2k client and cisco vpn 3005, but it
    > looks like the same problem I was having with pptp.
    >
    > Is there no way to connect with pptp or l2tp to a 3005 concentrator
    > with encryption, when that concentrator is authenticating against an
    > Active Directory server?


    I will preface this by saying that it has been a couple of years since
    I did this, but I am reasonably positive that you can get PPTP with
    encryption working when the concentrator is authenticating against AD.
    Well, technically, we are authenticating against AD via RADIUS, using
    Windows' Internet Authentication Service (IAS).

    If I recall correctly, the trick is making sure that you configure the
    concentrator to use MS-CHAP or higher, and to configure a Remote Access
    Policy on IAS that also supports MS-CHAP or higher for authentication.
    If you allow PAP or CHAP, encryption for PPTP cannot be negotiated.

    Give that a try and see if it helps.

    --
    Scott Lowe
    Scott Lowe, Jun 26, 2005
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rob
    Replies:
    0
    Views:
    441
  2. Kai
    Replies:
    1
    Views:
    835
    Walter Roberson
    May 14, 2004
  3. Replies:
    0
    Views:
    476
  4. Kai
    Replies:
    0
    Views:
    7,601
  5. ruraldev
    Replies:
    0
    Views:
    559
    ruraldev
    Mar 1, 2007
Loading...

Share This Page