Solved: Re: C1710VPV + PIX501 + Client 3.5.1

l.cabral · ‎11-18-2002

Hi:

I'm trying to configure a VPN with a 1710 router as the center (c1710-k9o3sy-mz.122-4.YA2.bin) and a PIX 501 with soft version 6.2 wich receives dynamic IP trough pppoe. Also, I need to configure some VPN Clients with soft version 3.5.1. I'm having some problems, one is that the PIX and the Clients use dynamic IPs, but the pix must establish a Lan-to-Lan connection, so It becomes more complex to me to figure out correct crypto dynamic-map configuration. By now, pix-to-router connection finish isakmp negotiation, but not ipsec. And by now, Client 3.5.1 does no even finish isakmp phase, although using debug commands I see the client trying to negotiate the policy I created (3des, pre-shared, group 2). I haven't found any TAC example like this scenario, that's why I'm asking. Can someone give me a pointer?

Thanks,

kdurrett · ‎11-19-2002

To answer your second question. You can your cisco secure vpn client 1.1 with your current IOS but you dont have the options as you have with 3.x client. Problem you will probably run into is that the 1.1 client is only supported on 95, 98 and NT. So there is no win2k or XP support for that client. If you want to run the 3.x client, you have to upgrade your router. Just like you stated, min IOS version for 3.x client is 12.2.8T which also you have to be running a T train for support. 12.2.10 will not work with the 3.x client, must be T train. Your first question, you can use match address within your dynamic maps. For example:

crypto dynamic-map mymap 10

match address 100

crypto dynamic-map mymap 20

match address 110

But im not to clear on why you need to have the central endpoint recognize which LAN is connecting to it. If you need to see which endpoints are connected, you can do a "show crypto ipsec sa" and it will show you which sides have active tunnels, you just gotta filter through the SA's.

Kurtis Durrett

View solution in original post

kdurrett · ‎11-18-2002

Now this isn't going to work for your clients unless you know the ip address of your pix. So if its dhcp and you dont know what the address is going to be, you'll have to change that. If its dhcp and you get the same ip address all the time, well you should be okay then. Follow this linke http://www.cisco.com/warp/public/110/37.html

That should work for you. This link isnt for dhcp on the pix, but its configured exactly the same way, if you dont need the xauth with the clients then just remove this line crypto map mymap client authentication mytacacs

as from the sample configuration.

Kurtis Durrett

l.cabral · ‎11-19-2002

Hi:

PIX connection is working ok at least in lab environment.

I'm seeing a problem when there are more than one remote LANs that want to connect to a central IPSec endpoint and those LANs are connected via a device (router or pix) that receives a dynamic IP. I can't see the way to make the central endpoint recognize wich LAN is connecting to it. An alternative can be using different transform-sets at each site, so for example, to support four sites, I can use:

Site 1: 3des

Site 2: 3des + AH

Site 3: des

Site 4: des + AH

In this way only the correct crypto dynamic map will match (the one with the correct transform set, that also contains the correct reference to acl (match address)). I think this is applicable for routers and pixes. If there is other method (better or recommended) I'd really like to know it.

Another problem I have, is with Cisco VPN Client, I'm afraid version 3.5.1 is not compatible with the IOS I have (1710-k9o3sy-mz.122-4.YA2.bin). I think this because my IOS debug commands show a message like "client is Unity but a major" and never finish ISAKMP negotiation. Also, reading TAC documents I found: "Cisco IOS Software Release 12.2(8)T and later support connections from Cisco VPN Client 3.x". I buyed version 3.5.1: can I downgrade to a compatible version for free?

Any help will be appreciated,

kdurrett · ‎11-19-2002

To answer your second question. You can your cisco secure vpn client 1.1 with your current IOS but you dont have the options as you have with 3.x client. Problem you will probably run into is that the 1.1 client is only supported on 95, 98 and NT. So there is no win2k or XP support for that client. If you want to run the 3.x client, you have to upgrade your router. Just like you stated, min IOS version for 3.x client is 12.2.8T which also you have to be running a T train for support. 12.2.10 will not work with the 3.x client, must be T train. Your first question, you can use match address within your dynamic maps. For example:

crypto dynamic-map mymap 10

match address 100

crypto dynamic-map mymap 20

match address 110

But im not to clear on why you need to have the central endpoint recognize which LAN is connecting to it. If you need to see which endpoints are connected, you can do a "show crypto ipsec sa" and it will show you which sides have active tunnels, you just gotta filter through the SA's.

Kurtis Durrett

l.cabral · ‎11-19-2002

Kurtis:

Thanks for your answers. In order to clarify, this is my last doubt: Do you say that "match address" lines are not necesary in crypto dynamic-map because the router will recognize the other endpoint and will learn wich LAN is behind it?

That's my last question, regarding VPN Client, now I know the problem is with IOS version (sad, I bought the 1710 with the VPN bundle thinking I won't have any problems).

Thanks again,

kdurrett · ‎11-21-2002

The match address in your dynamic map will help make this somewhat more secure. With a dynamic ipsec configuration, the whole reason you are doing this is because you do not know where the peer is coming from because of dhcp from the isp. So you kinda have to open yourself up a little. You wont know your peers ip address is, but you should know what network is behind your peers that are trying to connect to you. Thats where the match address comes in because when it comes to establish your ipsec sa's it will have to match source/destination based on your acl's. There are other feature's here that help keep this secure such as your pre-shared key and your isakmp/ipsec policies that have to be matched. But no, you do not need the match address.

Cisco is supposed to ship their devices out with the latest software, which I believe they do. Problem you run into is that resellers stock the equipment so that you as a customer can get that device right away instead of having to wait. So there could be some time sitting in there warehouse, as well as Cisco's by the time it gets to you. So you got a tradeoff. One of the tradeoff's is the best tac support out there so when you need help, you get it.

Kurtis Durrett

l.cabral · ‎11-21-2002

Thanks for the explanation.

Regarding IOS version, I think I discovered one thing. If you look at product prices when they are marked like "xxx bundle" you see that they are cheaper than buying the product and adding the features you want. For example a 1760-V is cheaper than buying a 1760 and adding a VoIP enable IOS, a PVDM, RAM and Flash. In my case, I bought a 1710-VPN-Bundle thinking that it will come with all published VPN features, but now I beleive that "bundles" are cheaper because they have IOS versions that are not the latest. It's just a deduction, not a confirmed fact.

Cheers,