Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
4
Helpful
3
Replies

PIX 501to 3015 Concentrator using VPN Hardware Client

nick.garigliano
Level 1
Level 1

‎10-08-2002 05:24 AM - edited ‎02-21-2020 12:06 PM

I found several doc's on CCO about creating a VPN connection from a PIX 501 to a 3000 Concentrator using the VPNClient feature in 6.2.x of the PIX software (specifically "Configuring the VPN Hardware Client on PIX 501/506 Version 6.2 for Use With a VPN 3000 Concentrator"). I follow the example and cannot get it to work.

The concentrator logs say that the there is xauth is required but not configured. I've tried setting the SA's on the conventrator to use pre-shared keys with and without xauth, but no luck. In the debugs from the PIX I see it referring to the DMZ address of the Concentrator, not the static xlated address that I put in the config. I've tried deleting everything and starting over but no luck.

I finally checked the 6.2 PIX command reference and it implies that you still need all of the IKE and crypto stuff in addition to the vpnclient commands. The above doc makes no reference to needing this other than it appears to be configured on devices inside the network.

So, what is the correct procedure for using the VPN Hardware Client????

Labels:
0 Helpful
3 Replies 3

engel
Level 2
Level 2

‎10-08-2002 06:02 AM

Nick,

I have this problem before, seems like the problem is on the Concentrator. Make sure the IKE Proposal list on the Concentrator does have "CiscoVPNclient" at the first line (normaly the default "CiscoVPN Client" does configured with "XAuth", just check it to make sure). Because for a remote client connection, Concentrator will not going through the second line on the proposal list to check any matching proposal if the first proposal is not match.

Regarding the crypto stuff on the PIX, it has several default IKE proposals, so no need to configure it anymore, except if you want to fine tune the IKE proposal list.

HTH.

ujaus
Level 1
Level 1
In response to engel

‎10-18-2002 12:35 PM

hi

i have same problems like this.Do you have any configuration example fpr me?

Best regards

Uli

0 Helpful

nick.garigliano
Level 1
Level 1
In response to ujaus

‎10-21-2002 07:48 AM

The problem had to do with NATing our public interface on the VPN Concentrator. I had to add the non-nated address in as a secondary connection with the "vpnclient server" command. After that it worked fine, except you do need to initiate traffic from the PIX network for the tunnel to actually come up.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents