PIX firewalls often have some "application filter" to prevent malformed packets to be passed. These are often called "fix-up protocols"... Try to disable this for your needed protocols... Greets... -----Ursprüngliche Nachricht----- Von: Grefenp Berchmann C Sodusta [mailto:grefenp@xxxxxxxxxxx] Gesendet: Mittwoch, 21. Mai 2003 22:09 An: [ISAserver.org Discussion List] Betreff: [isalist] Issue on ISA-ISA gateway VPN with PIX in-between. http://www.ISAserver.org Hello All, I'm setting up a gateway-gateway connection with a PIX firewall in-between. Both ISA will establish a VPN connection. RemoteLAN-------[ISA]------Internet------PIX515------[ISA]-------HeadOfficeL AN Without the PIX firewall everything works perfectly, both PPTP and L2TP/IPSec connections. When the PIX is there L2TP/IPSec gets an error "The L2TP connection attempt failed because security policy for the connection was not found.". I have opened all IP (UDP, TCP, GRE) ports and ICMP at the PIX, still this error appears. Right now only PPTP works. I have run IPSECMON command, if PIX is there no entries can be found in it, without the PIX, L2TP/IPSec connects and an entry is there (IPSECMON). I have disabled filtering of IP fragments on both ISA server. This error is also the same case as when a Windows 2000 Pro tries to login to the HeadOfficeLAN using L2TP/IPSec, but using a PPTP everythings ok. I've been trying to solve this problem for a week now, ror, any information is greatly appreciated. Regards, Grefenp ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: christian.schramm@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')