08-14-2007 12:05 AM - edited 02-21-2020 03:12 PM
Hi all!
I have a question.
On the PIX 535 I already have some VPN (Site to Site) and I want to do Easy VNP Server on it.
Does it work together?
08-14-2007 12:40 AM
Yes it does, just add the dynamic crypto map to the existing crypto-map.
Ex.
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto map myMAP 1 ipsec-isakmp dynamic myDYN-MAP
08-14-2007 02:50 AM
I mean that I already have this worked config:
crypto ipsec transform-set P2Pset esp-des esp-md5-hmac
crypto map P2Pmap 9 ipsec-isakmp
crypto map P2Pmap 9 match address P2P
crypto map P2Pmap 9 set pfs group5
crypto map P2Pmap 9 set peer 1.1.1.1
crypto map P2Pmap 9 set transform-set P2Pset
crypto map P2Pmap 9 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map P2Pmap 10 ipsec-isakmp
crypto map P2Pmap 10 match address P2P2
crypto map P2Pmap 10 set pfs group2
crypto map P2Pmap 10 set peer 2.2.2.2
crypto map P2Pmap 10 set transform-set P2Pset
crypto map P2Pmap 11 ipsec-isakmp
crypto map P2Pmap 11 match address P2P3
crypto map P2Pmap 11 set pfs group2
crypto map P2Pmap 11 set peer 3.3.3.3
crypto map P2Pmap 11 set transform-set P2Pset
crypto map P2Pmap 11 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map P2Pmap interface VPN
isakmp enable VPN
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption des
isakmp policy 9 hash md5
isakmp policy 9 group 5
isakmp policy 9 lifetime 86400
and now I want to do easy vpn server for the peer 4.4.4.4 What I must write to my config?
I think that it will be :
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
then
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5
crypto map P2Pmap 12 ipsec-isakmp dynamic outside_dyn_map
crypto map P2Pmap 12 set peer 4.4.4.4
crypto map P2Pmap client authentication LOCAL
then I do vpngroup and users end that' all....
Am I right???
08-14-2007 03:30 AM
Yes, but with easyvpn you rarely need to configure a peer address and assign an acl to the dynamic crypto-map because most config goes into the vpngroup. But it should work as you want it to anyway.
I would exclude these lines:
no crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
no crypto map P2Pmap 12 set peer 4.4.4.4
You also need to configure the vpngroup wih split-tunnel, and nat exemption as usual.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide