Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
281
Views
0
Helpful
2
Replies

Can I use VPN3030 for site-to site and remote access VPN ?

jhlin
Level 1
Level 1

‎11-01-2003 07:12 PM - edited ‎02-21-2020 12:51 PM

Hi ,

Can I use both function for two VPN function in same box ?

Do I use same pre-shared key for both ?

My network is :

VPN3030--pix(local)-internet--pix(remote)

My need:

VPN3030 ipsec with pix(remote)

vpnclient from internet connect to vpn3030.

Question :

Does I need two groups for them ?

Does I use the same preshared-key? Or

Specific key for each group ?

Thanks very much

Labels:
0 Helpful
2 Replies 2

d-garnett
Level 3
Level 3

‎11-03-2003 08:49 AM

Can I use both function for two VPN function in same box ? YES

Do I use same pre-shared key for both ? YOU COULD BUT I WOULDN'T USE THE SAME KEY FOR DIFFERENT CONNECTIONS, COULD CAUSE SECURITY ISSUES LATER

My network is :

VPN3030--pix(local)-internet--pix(remote)

My need:

VPN3030 ipsec with pix(remote) - DOABLE

vpnclient from internet connect to vpn3030. -DOABLE

Question :

Does I need two groups for them ? YOU NEED TO DEFINE A "GROUP" FOR THE REMOTE ACCESS CONNECTION, BUT NOT FOR THE LAN2LAN (UNLESS YOU USE EZVPN ON THE PIX or IOS ROUTER, THEN YOU WOULD CONFIGURE THAT CONNECTION AS A REMOTE ACCESS CONNECTION AND DEFINE GROUPS)

Does I use the same preshared-key? Or

Specific key for each group ? I WOULD USE A DIFFERENT KEY PER CONNECTION.

Thanks very much

___________________________________________________

Remote Access and LAN2LAN connections can coexist on the Concentrator, but they are configured differently.

in most cases when you configure Remote Access connections, they are for roaming clients that are using VPN Client Software or for small offices using IOS Routers or PIX running EzVPN feature set or the 3002 hardware client. In these instances you will need to push policies down to them ('Mode Config' i.e. IP Address they will use on the inside of your network, DNS and WINS Server, etc..). This is configured under Configuration > UserManagement > Groups).

On the flipside is the LAN2LAN connections. You don't define a "group" for that. the preshared key is define with all the other parameters (phase1, phase2 policies, subnets/hosts to protect) on the same page (Configuration > Tunneling Protocols > IPSec > LAN-to-LAN)

you create the LAN2LAN connections under Traffic Management.

I have copied and pasted this from our Concentrator. Page: Configuration > Tunneling Protocols > IPSec > LAN-to-LAN

"This section lets you configure IPSec LAN-to-LAN connections. LAN-to-LAN connections are established with other VPN 3000 Concentrators, PIX firewalls, 7100/4000 series routers and other IPSec-compliant security gateways. To configure a VPN 3002 or other remote access connection, go to User Management and configure a Group and User. To configure NAT over LAN-to-LAN, go to LAN-to-LAN NAT Rules."

0 Helpful

jhlin
Level 1
Level 1
In response to d-garnett

‎11-04-2003 01:47 PM

Hello,

I already complete the Site-to-Site and remote access at same VPN3030 .

Site-to-site is connected to pix , and remote access is connected to internet users which is using vpnclient 4.03a.

But I find one BUG. I donot know whether is right or not. Could you tell me how to veriry.

The SYMPTON:

Only one internet user can use. 2nd user can connect , but only 20 seconds. VPN client show " no response from the other side" , then drop the connection.

Thanks a lotto your update.

0 Helpful
Customers Also Viewed These Support Documents