Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN using PIX and VPN Clients ver 1.1 and ver 3.0

I have a VPN using a "PIX to PIX" and "PIX to VPN Clients". I am able to get "PIX to PIX" working along with ver 1.1 of the client but not version 3. I can get version 3 and version 1 working together by swapping around the order of the crypto map statements but then the "PIX to PIX" connection won't come up. Has anybody implemented a VPN with PIX and both clients?

4 REPLIES
New Member

Re: VPN using PIX and VPN Clients ver 1.1 and ver 3.0

Yes I am doing it now. All I had to do to get Version 3.x working was to add the vpngroup statements. Here is the template I use for PIX to PIX and Client to PIX:

access-list 80 permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 80 permit ip 192.168.2.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 80 permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 80 permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 192.168.2.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list 80

ip local pool vpnpool 192.168.200.1-192.168.200.254

sysopt connection permit-ipsec

crypto ipsec transform-set vpn3-set esp-3des esp-md5-hmac

crypto dynamic-map remote 20 set transform-set vpn3-set

crypto map vpn-map 18 ipsec-isakmp dynamic remote

crypto map vpn-map 20 ipsec-isakmp

crypto map vpn-map 20 match address 101

crypto map vpn-map 20 set peer xxx.xxx.xxx.xxx

crypto map vpn-map 20 set transform-set vpn3-set

crypto map vpn-map client configuration address initiate

crypto map vpn-map interface outside

isakmp enable outside

isakmp identity hostname

isakmp client configuration address-pool local vpnpool outside

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

*******

These are the command I added for Win2K support on client version 3.x:

*******

vpngroup NY address-pool vpnpool

vpngroup NY dns-server 10.1.1.4

vpngroup NY default-domain whatever.com

vpngroup NY split-tunnel 80

vpngroup NY idle-time 1800

vpngroup ny idle-time 1800

I hope this helps you. I got most of this from the config examples on this site

Pete

New Member

Re: VPN using PIX and VPN Clients ver 1.1 and ver 3.0

Thanks for the repsonse Pete. It seems the trouble we're having stems from the fact that we're using 56-bit DES rather than 3DES. The VPN Client 3.0 supposedly supports 56-bit DES but in actual fact although the VPN tunnel is established the return packets are not being decrypted resulting in a high number of dumped packets. One workaround I guess is to move to 3DES although this seems like overkill.

New Member

Re: VPN using PIX and VPN Clients ver 1.1 and ver 3.0

Also, if you deal with different client versions, make sure you have different policies on PIX. You can have more than you need, it doesn't hurt. See Security Tech Tips for how to configure PIX 6.01 with 2 versions of clients.

New Member

Re: VPN using PIX and VPN Clients ver 1.1 and ver 3.0

I got the VPN working with PIX to PIX and PIX to VPN Clients (both versions). During my testing I had used ping to verify connectivity. It seems that using icmp as test traffic caused issues with VPN Client ver 3.0 with traffic not being properly encrypted and decrypted. Once I tested using tcp based traffic I found ecerything worked as expected.

115
Views
0
Helpful
4
Replies
CreatePlease to create content