<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: Cisco 3000 (Altiga) Win2K client?</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Forgot to add one important thing...</FONT>
<BR><FONT SIZE=2>You cannot use IPsec/L2TP tunnels on Win2K if you already have anothe IPsec client installed (i.e. Nortel Contivity, Cisco VPN 3000 v2.6 beta, etc). The reason is that the "IPsec Policy Agent" is disabled when another IPsec client is installed. To be able to enable it, you must uninstall all IPsec clients and use only the native Win2K IPsec client (over L2TP, therfore the terminating switch must support L2TP tunnels using certificate-based authentication).</FONT></P>
<P><FONT SIZE=2>Basim S. Jaber </FONT>
<BR><FONT SIZE=2>Senior Systems Engineer / Remote Access Specialist</FONT>
<BR><FONT SIZE=2>VPN Services Division</FONT>
<BR><FONT SIZE=2>iPass Inc. Redwood Shores, CA</FONT>
<BR><FONT SIZE=2><A HREF="http://www.iPass.COM" TARGET="_blank">http://www.iPass.COM</A></FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>>-----Original Message-----</FONT>
<BR><FONT SIZE=2>>From: Basim Jaber </FONT>
<BR><FONT SIZE=2>>Sent: Wednesday, January 10, 2001 8:33 PM</FONT>
<BR><FONT SIZE=2>>To: 'dgillett@niku.com'; VPN@SECURITYFOCUS.COM</FONT>
<BR><FONT SIZE=2>>Subject: RE: Cisco 3000 (Altiga) Win2K client?</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>I've been working directly with Cisco on this one for quite </FONT>
<BR><FONT SIZE=2>>some time now. I have a copy of the beta 2.6 Cisco VPN 3000 </FONT>
<BR><FONT SIZE=2>>client for Win2K. It works the same as the Win9x/NT one does, </FONT>
<BR><FONT SIZE=2>>but it now installs on Win2K (works really good, I might add). </FONT>
<BR><FONT SIZE=2>> Please don't bother to ask me to email out copies of any </FONT>
<BR><FONT SIZE=2>>beta clients as I am bound under NDA to not do so.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>I haven't confirmed this, but according to Cisco's product </FONT>
<BR><FONT SIZE=2>>marketing for VPN 3000, this v2.6 client will not ship and </FONT>
<BR><FONT SIZE=2>>will only be used as a stepping stone beta to test the Win2K </FONT>
<BR><FONT SIZE=2>>interoperability, although the v2.6 client may be released </FONT>
<BR><FONT SIZE=2>>internally for Cisco themselves. The version 3.0 client due </FONT>
<BR><FONT SIZE=2>>out in end of Q1 (and possibly later) will be the new </FONT>
<BR><FONT SIZE=2>>"unified" client which will talk to the VPN 3000 Series, VPN </FONT>
<BR><FONT SIZE=2>>5000 Series, IOS Gateway VPN routers, and PIX firewalls.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>With respect to getting the native Win2K VPN client to work </FONT>
<BR><FONT SIZE=2>>using IPsec on the VPN 3000 switch, it will most certainly </FONT>
<BR><FONT SIZE=2>>work, but it requires the use of certificate-based </FONT>
<BR><FONT SIZE=2>>authentication as well as Active Directory. You'll need to </FONT>
<BR><FONT SIZE=2>>obtain a "server certificate" from the cert authority for the </FONT>
<BR><FONT SIZE=2>>VPN switch and a certificate for each VPN client (i.e. user). </FONT>
<BR><FONT SIZE=2>>I can't seem to find the doc for implementing this on the VPN </FONT>
<BR><FONT SIZE=2>>3000 units. If I find it later, I'll try to remember to post </FONT>
<BR><FONT SIZE=2>>it to the list.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>In the meantime, if you need to connect Win2K users to your </FONT>
<BR><FONT SIZE=2>>3000 switch(es), you can still do so via PPTP (hold your </FONT>
<BR><FONT SIZE=2>>comments, please!). Simply enable PPTP as one of the services </FONT>
<BR><FONT SIZE=2>>on the 3000 switch(es) and you can then use the native Win2K </FONT>
<BR><FONT SIZE=2>>PPTP VPN client. However, the only way to connect Win2K </FONT>
<BR><FONT SIZE=2>>IPsec clients on the VPN 3000 Concentrator is via L2TP, so </FONT>
<BR><FONT SIZE=2>>you'll eventually need to enable that service too.</FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>Basim S. Jaber </FONT>
<BR><FONT SIZE=2>>Senior Systems Engineer / Remote Access Specialist</FONT>
<BR><FONT SIZE=2>>VPN Services Division</FONT>
<BR><FONT SIZE=2>>iPass Inc. Redwood Shores, CA</FONT>
<BR><FONT SIZE=2>><A HREF="http://www.iPass.COM" TARGET="_blank">http://www.iPass.COM</A></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>></FONT>
<BR><FONT SIZE=2>>>-----Original Message-----</FONT>
<BR><FONT SIZE=2>>>From: David Gillett [<A HREF="mailto:dgillett@niku.com">mailto:dgillett@niku.com</A>]</FONT>
<BR><FONT SIZE=2>>>Sent: Wednesday, January 10, 2001 2:28 PM</FONT>
<BR><FONT SIZE=2>>>To: VPN@SECURITYFOCUS.COM</FONT>
<BR><FONT SIZE=2>>>Subject: Cisco 3000 (Altiga) Win2K client?</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>> I seem to recall that a lot of posters had heard rumours of </FONT>
<BR><FONT SIZE=2>>this around</FONT>
<BR><FONT SIZE=2>>>Oct-Nov last year. Nobody seemed to be able to get a date </FONT>
<BR><FONT SIZE=2>>from any Cisco</FONT>
<BR><FONT SIZE=2>>>employee, but a VAR I talked to told me he expected it to be </FONT>
<BR><FONT SIZE=2>>out of beta</FONT>
<BR><FONT SIZE=2>>>around Nov 15th/2000.</FONT>
<BR><FONT SIZE=2>>> Well, here we are Jan/2001, and the volume of 2000 users wanting to</FONT>
<BR><FONT SIZE=2>>>connect to our 3000 is growing. Has anyone heard anything </FONT>
<BR><FONT SIZE=2>>since November?</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>> Alternatively, has anyone gotten this to work with the </FONT>
<BR><FONT SIZE=2>>native Win2K IPSEC</FONT>
<BR><FONT SIZE=2>>>stuff? Something in the release notes made me think it </FONT>
<BR><FONT SIZE=2>>relied on Active</FONT>
<BR><FONT SIZE=2>>>Directory, but I'm hoping I misunderstood that bit.</FONT>
<BR><FONT SIZE=2>>></FONT>
<BR><FONT SIZE=2>>>David Gillett</FONT>
<BR><FONT SIZE=2>></FONT>
</P>
</BODY>
</HTML>