Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX-PIX and VPN Client

Status
Not open for further replies.
angktwap

angktwap

Technical User
Apr 21, 2002
154
SG
Hi,

Current I have setup a PIX to PIX VPN for connecting a remote office to our local office. There are some requirements to add in VPN clients for uses on the road.

I have tried with the Windows IAS and able to connect. After a few times of connecting using the VPNclient, the PIX-PIX vpn some how go "corrupted" and fails. The config are as follows:

crypto ipsec transform-set cryptoset esp-des esp-md5-hmac
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set vpnclient
crypto map OfficeMap 10 ipsec-isakmp dynamic dynmap
crypto map OfficeMap 30 ipsec-isakmp
crypto map OfficeMap 30 match address 101
crypto map OfficeMap 30 set peer XXX.XXX.XXX.XXX
crypto map OfficeMap 30 set transform-set cryptoset
crypto map OfficeMap client authentication partnerauth
crypto map OfficeMap interface outside
isakmp enable outside
isakmp key XXXXXXX address XXX.XXX.XXX.XXX netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup ri3kasiaUser address-pool ippool
vpngroup ri3kasiaUser dns-server x.x.x.x
vpngroup ri3kasiaUser wins-server x.x.x.x
vpngroup ri3kasiaUser default-domain xxx.com
vpngroup ri3kasiaUser split-tunnel 90
vpngroup ri3kasiaUser idle-time 1800
vpngroup ri3kasiaUser password XXXXXXXXXXXX

Then I took out
"crypto map OfficeMap client authentication partnerauth"
to try without the windows IAS and it works.

I can access everthing as if I am in the office but the problem is that I am not able to access the servers, through the PIX-PIX vpn, at the remote office.I couldnt ping any of them using IP and names.

Can any one point me to the right direction?

thanks a lot
angktwap
 
Sort by date Sort by votes
hi,

I have managed to get the IAS working.... What I did was remove the config and put it back again.....weird....

Till now I still couldnt access any of the remote servers using the VPN client.

angktwap
 
Upvote 0 Downvote
hi there,

try the following modifications:

crypto map OfficeMap 40 ipsec-isakmp dynamic dynmap
isakmp key XXXXXXX address XXX.XXX.XXX.XXX netmask 255.255.255.255 no-config-mode no-xauth

Hope this helps!
 
Upvote 0 Downvote
heya,

What does "no-config-mode no-xauth" actually does?
I have not added in "no-config-mode no-xauth" yet need your advise.

I have added :

crypto map OfficeMap 40 ipsec-isakmp dynamic dynmap
crypto map Office client authentication partnerauth

Using the VPNclient I am able to access everything in the office. However I am not able to access the servers, through the PIX-PIX vpn, at the remote office (couldnt ping at all).

Thanks
 
Upvote 0 Downvote
Hi,

I tried "no-config-mode no-xauth"... but its not working...
the VPN client is only able to tunnel to only one remote PIX.

I believe I need to do something to the route. Currently there is only one default route
"route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1"

Any advise will most appreciated.

thanks
 
Upvote 0 Downvote
How does the new confiugration looks now? Are you trying a hub and spoke configuration? You will not be able to do this on the PIX. You would need to create two different tunnels but you can only use one tunnel at a time using the VPN client.
 
Upvote 0 Downvote
crypto ipsec transform-set cryptoset esp-des esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set cryptoset
crypto map OfficeMap 30 ipsec-isakmp
crypto map OfficeMap 30 match address 100
crypto map OfficeMap 30 set peer XXX.XXX.XXX.XXX
crypto map OfficeMap 30 set transform-set cryptoset
crypto map OfficeMap 50 ipsec-isakmp dynamic dynmap
crypto map OfficeMap client authentication partnerauth
crypto map OfficeMap interface outside
isakmp enable outside
isakmp key ******** address XXX.XXX.XXX.XXX netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup r123OfficeUser address-pool ippool
vpngroup r123OfficeUser dns-server x.x.x.x
vpngroup r123OfficeUser wins-server x.x.x.x
vpngroup r123OfficeUser default-domain xxx.com
vpngroup r123OfficeUser split-tunnel 90
vpngroup r123OfficeUser idle-time 1800
vpngroup r123OfficeUser password ********
 
Upvote 0 Downvote
Are you trying to connect to the networks behind both PIX firewalls using the VPN client? If that is what you are trying to achieve then that is not possible with the PIX. What you need is a VPN 3K concentrator. You can only connect to the network behind the office PIX. Like I said before you cannot have a true hub-and-spoke configuration with the PIX.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
779
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
647
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
230
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
792
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
176
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top