Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
383
Views
0
Helpful
4
Replies

VPN 3000 and wildcard IKE peers

Go to solution
jason.ingram
Level 1
Level 1

‎11-29-2005 01:57 PM - edited ‎02-21-2020 02:07 PM

From the PIX Command Reference (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312):

isakmp key address

To configure a pre-shared authentication key and associate the key with an IPSec peer address or host name, use the isakmp key address command. Use the no isakmp key address command to delete a pre-shared authentication key and its associated IPSec peer address.

A netmask of 0.0.0.0. can be entered as a wildcard indicating that any IPSec peer with a given valid pre-shared key is a valid peer.

Question: Is it possible to do the same thing on the VPN 3000? I have a bunch of PIX firewalls, they use DSL w/ DHCP. I need them to operate in Network Extension Mode, but unlike PIX's, I can't seem to get the VPN 3000 to accept the "0.0.0.0" like you can do with PIX's. Anyone have any idea if it's possible or another way to accomplish the goal? Any ideas would be greatly appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-29-2005 10:35 PM

Yep it's possible, although not overly obvious how you do it :-) The following sample config shows you how to do it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

The key option is the "Default PreShared Key" under the Base Group.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎11-29-2005 10:35 PM

Yep it's possible, although not overly obvious how you do it :-) The following sample config shows you how to do it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

The key option is the "Default PreShared Key" under the Base Group.

0 Helpful

Go to solution
michael.portz
Level 1
Level 1
In response to gfullage

‎11-30-2005 02:26 AM

But using the "Default PreSharedKey" limits this possibility to one such key and one group using the same key only. There is no way to configure a 2nd group with a different key, right?

0 Helpful

Go to solution
jason.ingram
Level 1
Level 1
In response to michael.portz

‎11-30-2005 06:26 AM

(Edited: I thought you were posting this in reply to my original question, so i got a bit confused. However, I'll leave the post below just because someone might glean something..never can tell)

When talking about a Pix to Multi-pix VPN configuration using nailed up VPN's, you do not need to define any groups if you don't want to. Just add in the necessary ISAKMP and crypto commands along with the necessary access-lists and nat satements (and the sysopt command as well). When setting up the isakmp statments, just specifiy 0.0.0.0 as the peer and supply all of your remote PIX's with the preshared key you assigned. They will all then be able to form a VPN connection with that system. You could also do it via groups using the Eazy VPN server, I just prefer doing it the other way when I have the remote pix's in network extension mode.

0 Helpful

Go to solution
jason.ingram
Level 1
Level 1
In response to gfullage

‎11-30-2005 06:30 AM

Awesome. Exactly what I was looking for. I knew there had to be a way to make it happen. Thanks a ton for the info and the help.

0 Helpful
Customers Also Viewed These Support Documents