setup pix 501 for cisco vpn client

[rbelt]

again, I'm out of my comfort level on the pix. I have the pix running as a pptp endpoint (thanks to many comments from Yizhar) and now I want to switch to use the cisco vpn client. I've tried some configuration settings using the web interface and while I get some communication between the two points, I never get a connection. can someone shoot me a link on how to do this (everything I find @ cisco tells me how to connect to a vpn concentrator or something more complicated than what I want). I'd like to do this without breaking the pptp until I know the vpn client works... The real goal is to get split tunnel working OR getting the connected client to be able to access the internet through the remote connection (preferable).

a link to the pptp setup w/some config info:

thread35-546587

 

[ewiley]

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_62/config/basclnt.htm

For simple setups, just ignore the aaa-server commands, unless you actually have a aaa server. Some will argue that vpnclient group passwords aren't strong enough auth, but it'll work.

If your pix has a recent OS version on it, make sure you get the Cisco VPN client 3.x or 4.x, that way you can use the vpnclient commands. (Note: the setup for the VPN clinet 3.x is exactly the same as the VPN client 3000)

Make sure you use the following commands:

! - cisco VPN client uses IPSEC by default, so allow it:
sysopt connection permit-ipsec

! - Allows ipsec traffic to be passed correctly:
no sysopt route dnat

From what I saw of your config from the thread you linked, that should be all you need.

 

[rbelt]

So I spent a couple of hours messing around with this this morning. I was able to get most of the way but the vpn client hangs after:

Initializing the connection...
Contacting the gateway @ ipaddress...
Negotiating security policies...
Securing communication channel...

here is a truncated config:
deadfred# sho run

PIX Version 6.2(1)

access-list permit-vpn-pool permit ip 10.10.10.0 255.255.255.0 192.168.222.0 255.255.255.0

ip address outside x.x.x.188 255.255.255.0
ip address inside 10.10.10.1 255.255.255.0

ip local pool vpn-pool 192.168.222.1-192.168.222.254

global (outside) 1 interface
nat (inside) 0 access-list permit-vpn-pool
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 x.x.x.1 1

aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local

sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup cisco%vpn address-pool vpn-pool
vpngroup cisco%vpn dns-server 10.10.10.5
vpngroup cisco%vpn idle-time 1800
vpngroup cisco%vpn password ********

deadfred#

Not sure why it's hanging -- what is the 'crypto ipsec transform-set' all about and does this need to match the isakmp settings? I've tried various authentication and encryption settings without change (although when I set the isakmp encryption to des, it would fail with a 'Failed to establish a secure connection to the security gateway' -- even though the group passwords were correct...).

thanks

//RB

 

[franksoprano]

Does the VPN client come with the PIX 501??

 

[rbelt]

no it does not...

Does anyone have a suggestion on why this connection fails?

thanks

//RB

 

[themut]

Either your configuration is not posted completely or you have not confiugred a crypto map and apply this cryptomap to the outside interface. The transform set is matched to the crypto map. Use this guideline as an example:

http://www.cisco.com/warp/public/110/pix3000.html

Hope this helps!

 

[rbelt]

got it! Added these lines and bingo!

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

I don't understand the dynamic-map stuff yet but will read up on it tomorrow. -- the only problem left is that I still can't surf the internet while connected to the remote side -- I need to set up split tunnel or routing out the other side... I'm reading up on this but if someone has some suggestions.

thanks again!

//RB

 

[themut]

Your best bet is to configure split tunneling. Just add the line:

vpngroup cisco%vpn split-tunnel permit-vpn-pool

You should be set.

 

[rbelt]

Awesome! Thanks for the help!

Two education questions:

1) It is my understanding that split tunnel allows traffic not destined to the gateway side lan to bypass the VPN/remote connection altogether (e.g. web surfing will go directly to the internet and not through the vpn tunnel and back out the gateway side connection) -- How does this fit in with the 'Allow local LAN access' option on the client side (this option doesn't seem to change anything).

2) Because I'm using vpngroups for logon security, what concerns should I be aware of (other than the obvious factor that everyone is sharing the same password...)? Also, I'm assuming that the only way to work a per user logon process with IPSec is to offload AAA (e.g. radius) -- yes?

thanks again!

//RB

 

[themut]

1) Allow local LAN access enable you to access local resources while you are connected to the VPN. Remember when you connect to the VPN you are assigned a different IP address than your local LAN.

2) You will need a AAA server (tacacs+ or radius). Here´s a link using IAS radius:

http://www.cisco.com/warp/customer/110/cvpn3k_pix_ias.html

Cheers!

 

[rbelt]

the strange thing is that I'm able to access local resources regardless of the setting on the client (ping, map drive, etc...). I'm not too concerned other than others reading this may want to lock this down some how...

Something is wrong w/my cco logon but once I get it cleared up, I'll check out the article (thanks!) --

//RB