Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Easy VPN Server

Hi all!

I have a question.

On the PIX 535 I already have some VPN (Site to Site) and I want to do Easy VNP Server on it.

Does it work together?

3 REPLIES

Re: Easy VPN Server

Yes it does, just add the dynamic crypto map to the existing crypto-map.

Ex.

crypto dynamic-map myDYN-MAP 5 set transform-set mySET

crypto map myMAP 1 ipsec-isakmp dynamic myDYN-MAP

New Member

Re: Easy VPN Server

I mean that I already have this worked config:

crypto ipsec transform-set P2Pset esp-des esp-md5-hmac

crypto map P2Pmap 9 ipsec-isakmp

crypto map P2Pmap 9 match address P2P

crypto map P2Pmap 9 set pfs group5

crypto map P2Pmap 9 set peer 1.1.1.1

crypto map P2Pmap 9 set transform-set P2Pset

crypto map P2Pmap 9 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap 10 ipsec-isakmp

crypto map P2Pmap 10 match address P2P2

crypto map P2Pmap 10 set pfs group2

crypto map P2Pmap 10 set peer 2.2.2.2

crypto map P2Pmap 10 set transform-set P2Pset

crypto map P2Pmap 11 ipsec-isakmp

crypto map P2Pmap 11 match address P2P3

crypto map P2Pmap 11 set pfs group2

crypto map P2Pmap 11 set peer 3.3.3.3

crypto map P2Pmap 11 set transform-set P2Pset

crypto map P2Pmap 11 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map P2Pmap interface VPN

isakmp enable VPN

isakmp key ******** address 1.1.1.1 netmask 255.255.255.255

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255

isakmp key ******** address 3.3.3.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 9 authentication pre-share

isakmp policy 9 encryption des

isakmp policy 9 hash md5

isakmp policy 9 group 5

isakmp policy 9 lifetime 86400

and now I want to do easy vpn server for the peer 4.4.4.4 What I must write to my config?

I think that it will be :

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

then

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5

crypto map P2Pmap 12 ipsec-isakmp dynamic outside_dyn_map

crypto map P2Pmap 12 set peer 4.4.4.4

crypto map P2Pmap client authentication LOCAL

then I do vpngroup and users end that' all....

Am I right???

Re: Easy VPN Server

Yes, but with easyvpn you rarely need to configure a peer address and assign an acl to the dynamic crypto-map because most config goes into the vpngroup. But it should work as you want it to anyway.

I would exclude these lines:

no crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

no crypto map P2Pmap 12 set peer 4.4.4.4

You also need to configure the vpngroup wih split-tunnel, and nat exemption as usual.

112
Views
13
Helpful
3
Replies