PIX 6.3.5 disabling Xauth and Modecfg for one peer

Unanswered Question
Jun 10th, 2008


The PIX is used as Easy VPN server and L2L gateway in the same time. I have difficulties with a new L2L VPN (isakmp authentication rsa-sig) because the PIX sends Xauth and Modecfg requests and the peer (Linux box with OpenSwan) tries to interpret them (received MODECFG message when in state STATE_MAIN_I4, and we aren't xauth client) and the VPN setup fails after phase 1.

I tried to disable Xauth and Modecfg for this peer with "isakmp peer fqdn FQDN no-xauth no-config-mode" but the PIX still sends the Xauth and Modecfg requests.

Can anyone give a clue what FQDN should be? (from DNS using reverse lookup for peers IP, or the FQDN from the certificate, any other tips?)



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
aghaznavi Mon, 06/16/2008 - 07:53

Try this no crypto xauth interface-name in the specific interface . Where interface is the crypto map intf or IKE endpoint for bypassing the authentication.

orbanattila Tue, 06/17/2008 - 00:06

It's not a valid command ...

(config)# no crypto xauth outside

Invalid keyword: "xauth"

As I mentioned earlier Xauth cannot be disabled globally because is needed for EZVPN.

Thanks anyway


This Discussion