Hardcoding Xauth in Cisco Pix to router vpn

[rpast]

Hello,
I set up a remote user vpn on a Pix last year, and now one of the users wants to trade in his Cisco VPN Client for a site-to-site vpn via his Cisco 806 router. The problem is that he has a dynamic address with his ISP, so I can't enter a specific "isakmp key *** address n.n.n.n..." for him on the Pix. Since I have Xauth configured for all the other remote users, to accompany the existing wild-card pre-shared key, I need to somehow hard-code the user id and password into his router/vpn client -- don't know if this can be done. In other words, if it could be done at the hub (Pix), I'd have two wildcard preshared keys -- one that requires xauth, and one that does not. But of course this is impossible. So the next thought is to see if the answering of Xauth prompts can be automated at the router/spoke/client. Cisco has nothing that I could find on this. Many thanks to anyone who would share some thoughts on this.

 

[themut]

It can be done, check this link:

http://www.cisco.com/warp/public/471/pix_router_dyn.html

 

[rpast]

Thank you for your reply, themut. I looked at this article awhile back. The problem in my case is that I have xauth (extended authentication) configured for the other (remote) users who use the wildcard key. In other words, if you look at the Pix configuration in the article, I have an extra "crypto map mapname client authentication Radiusserver" line. This is an extra layer of authentication, generally recommended for remote user access, when a wildcard pre-shared key is used. I need to have the remote router (otherwise configured as the one in this article), somehow fulfill the Pix's requirements of user authentication without having any manual input being done -- in other words, something I might enter in the router config. If this user weren't an owner of the company, I'd have other answers for him, such as discovering the address the ISP gave him, and then stamping it on the outside interface. Then I could do a true site-to-site VPN. But he doesn't want to be bothered with changing that address when the ISP decides to change it.

 

[themut]

isakmp key <key> address 0.0.0.0 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

 

[rpast]

Thanks again for your reply themut. Yes, the command &quot;isakmp key <key> address 0.0.0.0 netmask 0.0.0.0 no xauth no-config-mode&quot; would work, if I wanted to eliminate the xauth for all remote users who use the wildcard preshared key. Unfortunately, I do want to have xauth for everyone else who has a dynamic ip address on their end. So I don't want to have &quot;no xauth&quot; and &quot;no config-mode&quot; for them. It's just this one user who is replacing his Cisco remote client with a router, while still having the dynamic address.

 

[dopehead]

Another option is to make your PIX run Easy VPN Server, much like a concentrator 3000 series. This would enable you to make a group for clients using Xauth and one for HW devices running Easy VPN Client config with or without Xauth.

All those features can be found on

http://www.cisco.com

Jan

 

[rpast]

Thank you, dopehead. I'll look into this.