Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
399
Views
13
Helpful
3
Replies

Easy VPN Server

andrey.v.tyurin
Level 1
Level 1

‎08-14-2007 12:05 AM - edited ‎02-21-2020 03:12 PM

Hi all!

I have a question.

On the PIX 535 I already have some VPN (Site to Site) and I want to do Easy VNP Server on it.

Does it work together?

Labels:
0 Helpful
3 Replies 3

mattiaseriksson
Level 3
Level 3

‎08-14-2007 12:40 AM

Yes it does, just add the dynamic crypto map to the existing crypto-map.

Ex.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto map myMAP 1 ipsec-isakmp dynamic myDYN-MAP

andrey.v.tyurin
Level 1
Level 1
In response to mattiaseriksson

‎08-14-2007 02:50 AM

I mean that I already have this worked config:

crypto ipsec transform-set P2Pset esp-des esp-md5-hmac

crypto map P2Pmap 9 ipsec-isakmp

crypto map P2Pmap 9 match address P2P

crypto map P2Pmap 9 set pfs group5

crypto map P2Pmap 9 set peer 1.1.1.1

crypto map P2Pmap 9 set transform-set P2Pset

crypto map P2Pmap 9 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap 10 ipsec-isakmp

crypto map P2Pmap 10 match address P2P2

crypto map P2Pmap 10 set pfs group2

crypto map P2Pmap 10 set peer 2.2.2.2

crypto map P2Pmap 10 set transform-set P2Pset

crypto map P2Pmap 11 ipsec-isakmp

crypto map P2Pmap 11 match address P2P3

crypto map P2Pmap 11 set pfs group2

crypto map P2Pmap 11 set peer 3.3.3.3

crypto map P2Pmap 11 set transform-set P2Pset

crypto map P2Pmap 11 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap interface VPN

isakmp enable VPN

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

isakmp key ******** address 3.3.3.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash md5

isakmp policy 9 group 5

isakmp policy 9 lifetime 86400

and now I want to do easy vpn server for the peer 4.4.4.4 What I must write to my config?

I think that it will be :

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

then

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5

crypto map P2Pmap 12 ipsec-isakmp dynamic outside_dyn_map

crypto map P2Pmap 12 set peer 4.4.4.4

crypto map P2Pmap client authentication LOCAL

then I do vpngroup and users end that' all....

Am I right???

mattiaseriksson
Level 3
Level 3
In response to andrey.v.tyurin

‎08-14-2007 03:30 AM

Yes, but with easyvpn you rarely need to configure a peer address and assign an acl to the dynamic crypto-map because most config goes into the vpngroup. But it should work as you want it to anyway.

I would exclude these lines:

no crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

no crypto map P2Pmap 12 set peer 4.4.4.4

You also need to configure the vpngroup wih split-tunnel, and nat exemption as usual.

Customers Also Viewed These Support Documents