Solved: Site-to-Site VPN and remote access on PIX 6.3(3)

wesleykuk · ‎05-23-2006

Hello,

I have a site-to-site and remote access vpn configured on the pix device. Everything works like a charm up until the moment i decide to perform a local client authentication for remote vpn clients that uses the same site-to-site crypto map. As a result the site-to-site tunnel is broken 'cause is trying to authenticate against the local user.

Is there a way to use local user authentication for remote vpn clients on PIX without breaking up other tunnels that use same cryptomap?

If the answer is to use separate crypro maps then how can i assign the other crypto map to use outside interface if only one crypto map can be assigned to any given interface?

Vikas Saxena · ‎05-25-2006

while configuring the isakmp key use the command

isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]

no-xauth will tell the isakmp not to do the xauth for the L2L and no-config-mode will tell the isakmp not to distribute ip address to the L2L peer.

Let us know if that works

-Vikas

View solution in original post

jmia · ‎05-23-2006

Just a note,

Why not try the following - just setup for one of my customers, works like a charm:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

HTH

wesleykuk · ‎05-25-2006

The above example only represents xauth for vpn client via radius protocol. My VPN client is able to authenticate just fine regardless of the authentication method used. It is the other site-to-site tunnels on the pix that are negatively affected (broken) as they try to use the same authentication method. The objective is to use xauth for vpn clients and not for the site-to-site tunnels. How can this be accomplished without breaking existing VPN tunnels?

Fernando_Meza · ‎05-25-2006

Most definetely .. this is a very common configuration. The only instruction you need to have is

crypto map outside_map client authentication LOCAL

where outside_map is the map you assigned to your outside interface. This will only apply to remote users. The sit to site tunnels will continur to work as normal.

I hope it helps ... please rate it if it does !!!

djkim · ‎05-25-2006

Try to match vpn client's crypto map name same as your site to site vpn. I found that you can't have more than one "crypto map "name" interface outside" on the pix. when adding the second one "crypto map name interface outside, it will break the site to site tunnel and you will see the site to site crypto map is replaced by the second crypto map.

e.g:

crypto ipsec transform-set REMOTEVPN_SET esp-3des esp-md5-hmac

crypto dynamic-map REMOTE_dynmap 20 set transform-set REMOTEVPN_SET

crypto map btbvpn 10 ipsec-isakmp

crypto map btbvpn 10 match address 10

crypto map btbvpn 10 set peer 10.x.x.x

crypto map btbvpn 10 set transform-set btbvpn

crypto map btbvpn 20 ipsec-isakmp dynamic REMOTE_dynmap

crypto map btbvpn client authentication ISA_RADIUS

crypto map btbvpn interface outside

Thanks, DJ

Vikas Saxena · ‎05-25-2006

while configuring the isakmp key use the command

isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]

no-xauth will tell the isakmp not to do the xauth for the L2L and no-config-mode will tell the isakmp not to distribute ip address to the L2L peer.

Let us know if that works

-Vikas