Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
385
Views
13
Helpful
3
Replies

Easy VPN Server

andrey.v.tyurin
Level 1
Level 1

‎08-14-2007 12:05 AM - edited ‎02-21-2020 03:12 PM

Hi all!

I have a question.

On the PIX 535 I already have some VPN (Site to Site) and I want to do Easy VNP Server on it.

Does it work together?

Labels:
0 Helpful
3 Replies 3

mattiaseriksson
Level 3
Level 3

‎08-14-2007 12:40 AM

Yes it does, just add the dynamic crypto map to the existing crypto-map.

Ex.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto map myMAP 1 ipsec-isakmp dynamic myDYN-MAP

andrey.v.tyurin
Level 1
Level 1
In response to mattiaseriksson

‎08-14-2007 02:50 AM

I mean that I already have this worked config:

crypto ipsec transform-set P2Pset esp-des esp-md5-hmac

crypto map P2Pmap 9 ipsec-isakmp

crypto map P2Pmap 9 match address P2P

crypto map P2Pmap 9 set pfs group5

crypto map P2Pmap 9 set peer 1.1.1.1

crypto map P2Pmap 9 set transform-set P2Pset

crypto map P2Pmap 9 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap 10 ipsec-isakmp

crypto map P2Pmap 10 match address P2P2

crypto map P2Pmap 10 set pfs group2

crypto map P2Pmap 10 set peer 2.2.2.2

crypto map P2Pmap 10 set transform-set P2Pset

crypto map P2Pmap 11 ipsec-isakmp

crypto map P2Pmap 11 match address P2P3

crypto map P2Pmap 11 set pfs group2

crypto map P2Pmap 11 set peer 3.3.3.3

crypto map P2Pmap 11 set transform-set P2Pset

crypto map P2Pmap 11 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap interface VPN

isakmp enable VPN

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

isakmp key ******** address 3.3.3.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash md5

isakmp policy 9 group 5

isakmp policy 9 lifetime 86400

and now I want to do easy vpn server for the peer 4.4.4.4 What I must write to my config?

I think that it will be :

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

then

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5

crypto map P2Pmap 12 ipsec-isakmp dynamic outside_dyn_map

crypto map P2Pmap 12 set peer 4.4.4.4

crypto map P2Pmap client authentication LOCAL

then I do vpngroup and users end that' all....

Am I right???

mattiaseriksson
Level 3
Level 3
In response to andrey.v.tyurin

‎08-14-2007 03:30 AM

Yes, but with easyvpn you rarely need to configure a peer address and assign an acl to the dynamic crypto-map because most config goes into the vpngroup. But it should work as you want it to anyway.

I would exclude these lines:

no crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

no crypto map P2Pmap 12 set peer 4.4.4.4

You also need to configure the vpngroup wih split-tunnel, and nat exemption as usual.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents