Easy VPN Server

Unanswered Question
Aug 14th, 2007

Hi all!

I have a question.

On the PIX 535 I already have some VPN (Site to Site) and I want to do Easy VNP Server on it.

Does it work together?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
mattiaseriksson Tue, 08/14/2007 - 00:40

Yes it does, just add the dynamic crypto map to the existing crypto-map.

Ex.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto map myMAP 1 ipsec-isakmp dynamic myDYN-MAP

andrey.v.tyurin Tue, 08/14/2007 - 02:50

I mean that I already have this worked config:

crypto ipsec transform-set P2Pset esp-des esp-md5-hmac

crypto map P2Pmap 9 ipsec-isakmp

crypto map P2Pmap 9 match address P2P

crypto map P2Pmap 9 set pfs group5

crypto map P2Pmap 9 set peer 1.1.1.1

crypto map P2Pmap 9 set transform-set P2Pset

crypto map P2Pmap 9 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap 10 ipsec-isakmp

crypto map P2Pmap 10 match address P2P2

crypto map P2Pmap 10 set pfs group2

crypto map P2Pmap 10 set peer 2.2.2.2

crypto map P2Pmap 10 set transform-set P2Pset

crypto map P2Pmap 11 ipsec-isakmp

crypto map P2Pmap 11 match address P2P3

crypto map P2Pmap 11 set pfs group2

crypto map P2Pmap 11 set peer 3.3.3.3

crypto map P2Pmap 11 set transform-set P2Pset

crypto map P2Pmap 11 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap interface VPN

isakmp enable VPN

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

isakmp key ******** address 3.3.3.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash md5

isakmp policy 9 group 5

isakmp policy 9 lifetime 86400

and now I want to do easy vpn server for the peer 4.4.4.4 What I must write to my config?

I think that it will be :

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

then

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5

crypto map P2Pmap 12 ipsec-isakmp dynamic outside_dyn_map

crypto map P2Pmap 12 set peer 4.4.4.4

crypto map P2Pmap client authentication LOCAL

then I do vpngroup and users end that' all....

Am I right???

mattiaseriksson Tue, 08/14/2007 - 03:30

Yes, but with easyvpn you rarely need to configure a peer address and assign an acl to the dynamic crypto-map because most config goes into the vpngroup. But it should work as you want it to anyway.

I would exclude these lines:

no crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

no crypto map P2Pmap 12 set peer 4.4.4.4

You also need to configure the vpngroup wih split-tunnel, and nat exemption as usual.

Actions

This Discussion