Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Between PIX's and Movian client

Hello,

I am trying to setup a VPN between CISCO PIX's and a Pocket PC with Movian VPN Client. Actually nothing is working but CISCO is saying that this client is supported. I would like to know if anybody have feedback on this.

Regards,

Nicolas

7 REPLIES
New Member

Re: VPN Between PIX's and Movian client

The movian vpn client works fine depending on your configuration. Movian/Certicom will provide you with a sample Pix config if you ask them. You also have to have version 3.0. We have not gotten it to work with certificates. It also only works with "isakmp identity address" instead of hostname which is default.

Hope this helps.

New Member

Re: VPN Between PIX's and Movian client

Hello,

First thanks for your answer. I would like to know if you have a sample because i am working with the one of MOVIAN and it didn't work. I already changed the parameter in the configuration but it's still the same.

Thanks,

Nicolas

New Member

Re: VPN Between PIX's and Movian client

I can't at the moment as I am out of the country, but the Movian example worked for me. It's a very simple example, but it's a good place to start. Which part in particualar is not working. Is the client prompting you for a password?

For now if you could post your config I might be able to see a problem. Next week when I'm back at the office I can get you my example, but I don't think you want to wait that long.

Good luck.

New Member

Re: VPN Between PIX's and Movian client

Hello,

Really thanks for your help. I have anyway time to wait since this is a project.

Here is my configuration:

Regards,

Nicolas

pix# sh conf

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 intf2 security10

enable password xxxxx encrypted

passwd xxxxx encrypted

hostname pix

domain-name vpn.vtx.ch

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

access-list 80 permit ip 10.5.1.0 255.255.255.0 10.5.1.0 255.255.255.0

access-list 100 permit tcp 10.5.1.0 255.255.255.0 10.5.0.0 255.255.0.0 eq telnet

access-list 100 permit tcp 10.5.1.0 255.255.255.0 10.5.0.0 255.255.0.0 eq www

pager lines 24

logging console debugging

logging buffered debugging

logging trap debugging

logging history debugging

logging host outside 212.147.1.1

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto shutdown

icmp permit 10.5.1.0 255.255.255.0 inside

mtu outside 1500

mtu inside 1500

mtu intf2 1500

ip address outside 212.147.0.220 255.255.255.0

ip address inside 10.5.1.254 255.255.255.0

ip address intf2 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

ip local pool movianpool 10.5.1.118-10.5.1.121

no failover

failover timeout 0:00:00

failover poll 15

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address intf2 0.0.0.0

pdm history enable

arp timeout 14400

nat (inside) 0 access-list 80

nat (inside) 0 10.5.1.0 255.255.255.0 0 0

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 212.147.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server partnerauth protocol radius

aaa-server partnerauth (outside) host xxxxx yyyyy timeout 5

no snmp-server location

no snmp-server contact

snmp-server community xxxxx

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt noproxyarp inside

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp identity address

isakmp client configuration address-pool local movianpool outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 8000

vpngroup Certicom address-pool movianpool

vpngroup Certicom dns-server 10.5.1.12

vpngroup Certicom wins-server 10.5.1.12

vpngroup Certicom default-domain vpn.vtx.ch

vpngroup Certicom split-tunnel 80

vpngroup Certicom idle-time 1800

vpngroup Certicom password xxxxx

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:xxxxx

pix#

New Member

Re: VPN Between PIX's and Movian client

Ok I see something that could be the problem. It might be your local ip pool. I have yet to get a pool to work inside my existing inside subnet. I usually set it to something like 192.168.xx.1-192.168.xx.100. Then change your access-list 80 to reflect that change. It would look like "access-list 80 permit 10.5.1.0 255.255.255.0 192.168.xx.0 255.255.255.0".

Also get rid of "nat (inside) 0 10.5.1.0 255.255.255.0 0 0" It is conflicting with the nat above it which you need.

Have you been prompted for your password when you try to connect? This is very important to know.

The other thing I noticed is your RADIUS server is on the outside. I would not do that as RADIUS I believe is sent in clear text. Also you may want increase the timeout on RADIUS as well.

Hopefully this helps.

Pete

New Member

Re: VPN Between PIX's and Movian client

Hello,

I'm gonna try with an internal Radius, and modificate the configuration. I will let you know if anything is alright.

Thanks,

Nicolas

New Member

Re: VPN Between PIX's and Movian client

I forgot to tell you that i didn't have the prompt for password. So i'm going to look for that too.

Regards,

Nicolas

107
Views
0
Helpful
7
Replies