10-08-2002 05:24 AM - edited 02-21-2020 12:06 PM
I found several doc's on CCO about creating a VPN connection from a PIX 501 to a 3000 Concentrator using the VPNClient feature in 6.2.x of the PIX software (specifically "Configuring the VPN Hardware Client on PIX 501/506 Version 6.2 for Use With a VPN 3000 Concentrator"). I follow the example and cannot get it to work.
The concentrator logs say that the there is xauth is required but not configured. I've tried setting the SA's on the conventrator to use pre-shared keys with and without xauth, but no luck. In the debugs from the PIX I see it referring to the DMZ address of the Concentrator, not the static xlated address that I put in the config. I've tried deleting everything and starting over but no luck.
I finally checked the 6.2 PIX command reference and it implies that you still need all of the IKE and crypto stuff in addition to the vpnclient commands. The above doc makes no reference to needing this other than it appears to be configured on devices inside the network.
So, what is the correct procedure for using the VPN Hardware Client????
10-08-2002 06:02 AM
Nick,
I have this problem before, seems like the problem is on the Concentrator. Make sure the IKE Proposal list on the Concentrator does have "CiscoVPNclient" at the first line (normaly the default "CiscoVPN Client" does configured with "XAuth", just check it to make sure). Because for a remote client connection, Concentrator will not going through the second line on the proposal list to check any matching proposal if the first proposal is not match.
Regarding the crypto stuff on the PIX, it has several default IKE proposals, so no need to configure it anymore, except if you want to fine tune the IKE proposal list.
HTH.
10-18-2002 12:35 PM
hi
i have same problems like this.Do you have any configuration example fpr me?
Best regards
Uli
10-21-2002 07:48 AM
The problem had to do with NATing our public interface on the VPN Concentrator. I had to add the non-nated address in as a secondary connection with the "vpnclient server" command. After that it worked fine, except you do need to initiate traffic from the PIX network for the tunnel to actually come up.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: