Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3000 and wildcard IKE peers

From the PIX Command Reference (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312):

isakmp key address

To configure a pre-shared authentication key and associate the key with an IPSec peer address or host name, use the isakmp key address command. Use the no isakmp key address command to delete a pre-shared authentication key and its associated IPSec peer address.

A netmask of 0.0.0.0. can be entered as a wildcard indicating that any IPSec peer with a given valid pre-shared key is a valid peer.

Question: Is it possible to do the same thing on the VPN 3000? I have a bunch of PIX firewalls, they use DSL w/ DHCP. I need them to operate in Network Extension Mode, but unlike PIX's, I can't seem to get the VPN 3000 to accept the "0.0.0.0" like you can do with PIX's. Anyone have any idea if it's possible or another way to accomplish the goal? Any ideas would be greatly appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN 3000 and wildcard IKE peers

Yep it's possible, although not overly obvious how you do it :-) The following sample config shows you how to do it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

The key option is the "Default PreShared Key" under the Base Group.

4 REPLIES
Cisco Employee

Re: VPN 3000 and wildcard IKE peers

Yep it's possible, although not overly obvious how you do it :-) The following sample config shows you how to do it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

The key option is the "Default PreShared Key" under the Base Group.

New Member

Re: VPN 3000 and wildcard IKE peers

But using the "Default PreSharedKey" limits this possibility to one such key and one group using the same key only. There is no way to configure a 2nd group with a different key, right?

New Member

Re: VPN 3000 and wildcard IKE peers

(Edited: I thought you were posting this in reply to my original question, so i got a bit confused. However, I'll leave the post below just because someone might glean something..never can tell)

When talking about a Pix to Multi-pix VPN configuration using nailed up VPN's, you do not need to define any groups if you don't want to. Just add in the necessary ISAKMP and crypto commands along with the necessary access-lists and nat satements (and the sysopt command as well). When setting up the isakmp statments, just specifiy 0.0.0.0 as the peer and supply all of your remote PIX's with the preshared key you assigned. They will all then be able to form a VPN connection with that system. You could also do it via groups using the Eazy VPN server, I just prefer doing it the other way when I have the remote pix's in network extension mode.

New Member

Re: VPN 3000 and wildcard IKE peers

Awesome. Exactly what I was looking for. I knew there had to be a way to make it happen. Thanks a ton for the info and the help.

95
Views
0
Helpful
4
Replies
CreatePlease to create content