Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

1720 Dialup ISDN to Central PIX 515 (IPSec) + (IKE)

I have the above and I think I have the start of the ISAKMP key exchange when dialup ISDN is initiated but I don't quite understand how to setup the dynamic crypto maps on the PIX. This will be the first 1720 spoke route of many and I need to know how to do these dynamic maps firstly to get the one going but then to support more spoke routers with different pre-shared keys. Can any kind sole point me to a template config? Ta!

1 REPLY
New Member

Re: 1720 Dialup ISDN to Central PIX 515 (IPSec) + (IKE)

Check out this config. It shows an implementation of dynamic crypto maps:

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname dino

!

boot system flash c4500-is56-mz

! Enable AAA services here…..

aaa new-model

aaa authentication ppp default radius local

enable secret 5 $1$h5mh$Qim2SVFXJx9azY7fbJzJA/

enable password cisco

!

username munchkin password 7 HJ*UJKLLJ

ip subnet-zero

ip domain-name cisco.com

ip name-server 10.0.0.4

!

! Enable VPN/VPDN services and define groups and their particular variables

vpdn enable

!

vpdn-group 1

! Default L2TP VPDN group

! Allow the router to accept incoming requests.

accept dialin l2tp virtual-template 1

! Tunnel authentication is used in the LNS to LAC, aka NAS initiated L2TP tunnel,

! users are authenticated at the NAS or LNS before the tunnel is establsihed. Not required for client-initiated tunnels.

no l2tp tunnel authentication

!

!

! These are the IKE policies the router will accept

crypto isakmp policy 4

!

crypto isakmp policy 5

hash md5

!

crypto isakmp policy 6

hash md5

group 2

!

! For IKE and Wildcard Pre-shared keys use this

crypto isakmp key ciscosys address 0.0.0.0

!

!

! Define the IPsec policies the router will accept/propose. For L2TP connections

! The mode should be transport

crypto IPsec transform-set desmd5tr esp-des esp-md5-hmac

mode transport

crypto IPsec transform-set ahshatr ah-sha-hmac

mode transport

crypto IPsec transform-set ahmd5tr ah-md5-hmac

mode transport

!

! Set-up a dynamic crypto map template

crypto dynamic-map iosmsdyn 1

set security-association lifetime seconds 120

set transform-set ahmd5tr

match address 110

!

! If you are using rsa-signatures, include your CA idenitity. This identity is configured to

! use the Microsoft CA with SCEP support.

!

crypto ca identity cisco.com

enrollment retry count 100

enrollment mode ra

enrollment url http://cisco-b0tpppy88:80/certsrv/mscep/mscep.dll

crl optional

!

! Certs removed for convenience

!

crypto ca certificate chain cisco.com

certificate 615D1CBC000000000006

certificate ra-sign 710685AF000000000004

certificate 615D299B000000000007

certificate ca 578242EB5428E68A4D02516EF449B266

certificate ra-encrypt 71068B79000000000005

!

! Apply the dynamic crypto map template to an actual crypto map

crypto map iosmsdyn 1 IPsec-isakmp dynamic iosmsdyn

!

!

interface Ethernet0

ip address 10.0.0.7 255.255.255.0

no ip redirects

no ip directed-broadcast

crypto map iosmsdyn

!

!

interface Virtual-Template1

ip unnumbered Ethernet0

no ip directed-broadcast

peer default ip address pool vpdn

ppp authentication ms-chap

!

router rip

redistribute connected

redistribute static

network 192.168.0.0

!

! Define your local address pool and any other dynamically assigned information

ip local pool vpdn 192.168.2.10 192.168.2.15

no ip classless

ip route 0.0.0.0 0.0.0.0 192.168.0.100

no ip http server

!

access-list 110 permit udp host 192.168.0.7 any eq 1701

access-list 110 permit udp any eq 1701 host 192.168.0.7

access-list 110 permit udp host 192.168.0.7 eq 1701 any

!

!

radius-server host 192.168.0.4 auth-port 1645 acct-port 1646

radius-server key kitchen

!

line con 0

transport input none

line aux 0

line vty 0 4

password cisco

!

end

(Configuration courtesy of Natalie Timms)

115
Views
0
Helpful
1
Replies