08-14-2007 12:05 AM - edited 02-21-2020 03:12 PM
Hi all!
I have a question.
On the PIX 535 I already have some VPN (Site to Site) and I want to do Easy VNP Server on it.
Does it work together?
08-14-2007 12:40 AM
Yes it does, just add the dynamic crypto map to the existing crypto-map.
Ex.
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto map myMAP 1 ipsec-isakmp dynamic myDYN-MAP
08-14-2007 02:50 AM
I mean that I already have this worked config:
crypto ipsec transform-set P2Pset esp-des esp-md5-hmac
crypto map P2Pmap 9 ipsec-isakmp
crypto map P2Pmap 9 match address P2P
crypto map P2Pmap 9 set pfs group5
crypto map P2Pmap 9 set peer 1.1.1.1
crypto map P2Pmap 9 set transform-set P2Pset
crypto map P2Pmap 9 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map P2Pmap 10 ipsec-isakmp
crypto map P2Pmap 10 match address P2P2
crypto map P2Pmap 10 set pfs group2
crypto map P2Pmap 10 set peer 2.2.2.2
crypto map P2Pmap 10 set transform-set P2Pset
crypto map P2Pmap 11 ipsec-isakmp
crypto map P2Pmap 11 match address P2P3
crypto map P2Pmap 11 set pfs group2
crypto map P2Pmap 11 set peer 3.3.3.3
crypto map P2Pmap 11 set transform-set P2Pset
crypto map P2Pmap 11 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map P2Pmap interface VPN
isakmp enable VPN
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 5
isakmp policy 9 lifetime 86400
and now I want to do easy vpn server for the peer 4.4.4.4 What I must write to my config?
I think that it will be :
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
then
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto map P2Pmap 12 ipsec-isakmp dynamic outside_dyn_map
crypto map P2Pmap 12 set peer 4.4.4.4
crypto map P2Pmap client authentication LOCAL
then I do vpngroup and users end that' all....
Am I right???
08-14-2007 03:30 AM
Yes, but with easyvpn you rarely need to configure a peer address and assign an acl to the dynamic crypto-map because most config goes into the vpngroup. But it should work as you want it to anyway.
I would exclude these lines:
no crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
no crypto map P2Pmap 12 set peer 4.4.4.4
You also need to configure the vpngroup wih split-tunnel, and nat exemption as usual.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: