Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

----Please check my VPN configuration----URGENT

Status
Not open for further replies.
Panther007

Panther007

MIS
Jul 12, 2001
33
US
My goal is to set up a dynamic vpn tunnel for the people could dial up and vpn to their work using a pre-share key.

I have my pix firewall with the following configuration:

.
.
.
data omitted
.
.
.
snmp-server community public
no snmp-server enable traps
floodguard enable
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map mymap 1 set transform-set myset
crypto map dyn-map 20 ipsec-isakmp dynamic mymap
crypto map dyn-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity hostname
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
telnet 192.168.11.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
.
.
.


I have a couple of questions:

first of all, does this configuration seem correct or do i need to add anything else to it or change it...

second, i loaded the 3.0.3.B client on my machine and it asks for the group name, username and password. I am not sure exactly what needs to go in these fields since i never created any kind of username or password, only the preshare key....
or is it that i need to create a vpn group...if so what would the syntax look like...

would appreciate your assistance.



 
Sort by date Sort by votes
HI!

I myself have not enough experience with VPN, but I'll comment anyway.
Any corrections and additions are welcome and also please show us the final working configuration and tips.

Now -

1)
what about this:

sysopt connection permit-ipsec


2)
What version is your PIX?
Have you installed the activation key for DES/3DES ?
(Look in the "show ver" output)

3)
You are going to use IPSEC "Tunnel" mode right?
so what internal IP will the remote users get?
You should add these:

ip local pool mypool ...
isakmp client configuration address-pool local mypool outside

4)
Remember that (as far as I know), PIX treats VPN connection as coming from "outside" even when they get internal IP address.
So you must also impelemnt Access-List/conduit and NAT 0 or STATIC to let the remote users access and get reponses when connecting to internal hosts.

5)
Check that the client IPSEC configuration matches the PIX, check also the DH GROUP version on both.

6)
See these links:

Bye
Yizhar


Yizhar Hurwitz
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
1K
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
664
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
580
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
205
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
714
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top