05-23-2006 08:20 AM - edited 02-21-2020 02:25 PM
Hello,
I have a site-to-site and remote access vpn configured on the pix device. Everything works like a charm up until the moment i decide to perform a local client authentication for remote vpn clients that uses the same site-to-site crypto map. As a result the site-to-site tunnel is broken 'cause is trying to authenticate against the local user.
Is there a way to use local user authentication for remote vpn clients on PIX without breaking up other tunnels that use same cryptomap?
If the answer is to use separate crypro maps then how can i assign the other crypto map to use outside interface if only one crypto map can be assigned to any given interface?
Solved! Go to Solution.
05-25-2006 10:25 PM
while configuring the isakmp key use the command
isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]
no-xauth will tell the isakmp not to do the xauth for the L2L and no-config-mode will tell the isakmp not to distribute ip address to the L2L peer.
Let us know if that works
-Vikas
05-23-2006 11:41 PM
Just a note,
Why not try the following - just setup for one of my customers, works like a charm:
HTH
05-25-2006 08:59 AM
The above example only represents xauth for vpn client via radius protocol. My VPN client is able to authenticate just fine regardless of the authentication method used. It is the other site-to-site tunnels on the pix that are negatively affected (broken) as they try to use the same authentication method. The objective is to use xauth for vpn clients and not for the site-to-site tunnels. How can this be accomplished without breaking existing VPN tunnels?
05-25-2006 07:06 PM
Most definetely .. this is a very common configuration. The only instruction you need to have is
crypto map outside_map client authentication LOCAL
where outside_map is the map you assigned to your outside interface. This will only apply to remote users. The sit to site tunnels will continur to work as normal.
I hope it helps ... please rate it if it does !!!
05-25-2006 07:50 PM
Try to match vpn client's crypto map name same as your site to site vpn. I found that you can't have more than one "crypto map "name" interface outside" on the pix. when adding the second one "crypto map name interface outside, it will break the site to site tunnel and you will see the site to site crypto map is replaced by the second crypto map.
e.g:
crypto ipsec transform-set REMOTEVPN_SET esp-3des esp-md5-hmac
crypto dynamic-map REMOTE_dynmap 20 set transform-set REMOTEVPN_SET
crypto map btbvpn 10 ipsec-isakmp
crypto map btbvpn 10 match address 10
crypto map btbvpn 10 set peer 10.x.x.x
crypto map btbvpn 10 set transform-set btbvpn
crypto map btbvpn 20 ipsec-isakmp dynamic REMOTE_dynmap
crypto map btbvpn client authentication ISA_RADIUS
crypto map btbvpn interface outside
Thanks, DJ
05-25-2006 10:25 PM
while configuring the isakmp key use the command
isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]
no-xauth will tell the isakmp not to do the xauth for the L2L and no-config-mode will tell the isakmp not to distribute ip address to the L2L peer.
Let us know if that works
-Vikas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide