Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1720 Dialup ISDN to Central PIX 515 (IPSec) + (IKE)

I have the above and I think I have the start of the ISAKMP key exchange when dialup ISDN is initiated but I don't quite understand how to setup the dynamic crypto maps on the PIX. This will be the first 1720 spoke route of many and I need to know how to do these dynamic maps firstly to get the one going but then to support more spoke routers with different pre-shared keys. Can any kind sole point me to a template config? Ta!

New Member

Re: 1720 Dialup ISDN to Central PIX 515 (IPSec) + (IKE)

Check out this config. It shows an implementation of dynamic crypto maps:

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption


hostname dino


boot system flash c4500-is56-mz

! Enable AAA services here…..

aaa new-model

aaa authentication ppp default radius local

enable secret 5 $1$h5mh$Qim2SVFXJx9azY7fbJzJA/

enable password cisco


username munchkin password 7 HJ*UJKLLJ

ip subnet-zero

ip domain-name

ip name-server


! Enable VPN/VPDN services and define groups and their particular variables

vpdn enable


vpdn-group 1

! Default L2TP VPDN group

! Allow the router to accept incoming requests.

accept dialin l2tp virtual-template 1

! Tunnel authentication is used in the LNS to LAC, aka NAS initiated L2TP tunnel,

! users are authenticated at the NAS or LNS before the tunnel is establsihed. Not required for client-initiated tunnels.

no l2tp tunnel authentication



! These are the IKE policies the router will accept

crypto isakmp policy 4


crypto isakmp policy 5

hash md5


crypto isakmp policy 6

hash md5

group 2


! For IKE and Wildcard Pre-shared keys use this

crypto isakmp key ciscosys address



! Define the IPsec policies the router will accept/propose. For L2TP connections

! The mode should be transport

crypto IPsec transform-set desmd5tr esp-des esp-md5-hmac

mode transport

crypto IPsec transform-set ahshatr ah-sha-hmac

mode transport

crypto IPsec transform-set ahmd5tr ah-md5-hmac

mode transport


! Set-up a dynamic crypto map template

crypto dynamic-map iosmsdyn 1

set security-association lifetime seconds 120

set transform-set ahmd5tr

match address 110


! If you are using rsa-signatures, include your CA idenitity. This identity is configured to

! use the Microsoft CA with SCEP support.


crypto ca identity

enrollment retry count 100

enrollment mode ra

enrollment url http://cisco-b0tpppy88:80/certsrv/mscep/mscep.dll

crl optional


! Certs removed for convenience


crypto ca certificate chain

certificate 615D1CBC000000000006

certificate ra-sign 710685AF000000000004

certificate 615D299B000000000007

certificate ca 578242EB5428E68A4D02516EF449B266

certificate ra-encrypt 71068B79000000000005


! Apply the dynamic crypto map template to an actual crypto map

crypto map iosmsdyn 1 IPsec-isakmp dynamic iosmsdyn



interface Ethernet0

ip address

no ip redirects

no ip directed-broadcast

crypto map iosmsdyn



interface Virtual-Template1

ip unnumbered Ethernet0

no ip directed-broadcast

peer default ip address pool vpdn

ppp authentication ms-chap


router rip

redistribute connected

redistribute static



! Define your local address pool and any other dynamically assigned information

ip local pool vpdn

no ip classless

ip route

no ip http server


access-list 110 permit udp host any eq 1701

access-list 110 permit udp any eq 1701 host

access-list 110 permit udp host eq 1701 any



radius-server host auth-port 1645 acct-port 1646

radius-server key kitchen


line con 0

transport input none

line aux 0

line vty 0 4

password cisco



(Configuration courtesy of Natalie Timms)