Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-to-Site VPN and remote access on PIX 6.3(3)

Hello,

I have a site-to-site and remote access vpn configured on the pix device. Everything works like a charm up until the moment i decide to perform a local client authentication for remote vpn clients that uses the same site-to-site crypto map. As a result the site-to-site tunnel is broken 'cause is trying to authenticate against the local user.

Is there a way to use local user authentication for remote vpn clients on PIX without breaking up other tunnels that use same cryptomap?

If the answer is to use separate crypro maps then how can i assign the other crypto map to use outside interface if only one crypto map can be assigned to any given interface?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Site-to-Site VPN and remote access on PIX 6.3(3)

while configuring the isakmp key use the command

isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]

no-xauth will tell the isakmp not to do the xauth for the L2L and no-config-mode will tell the isakmp not to distribute ip address to the L2L peer.

Let us know if that works

-Vikas

5 REPLIES
Gold

Re: Site-to-Site VPN and remote access on PIX 6.3(3)

Just a note,

Why not try the following - just setup for one of my customers, works like a charm:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml

HTH

New Member

Re: Site-to-Site VPN and remote access on PIX 6.3(3)

The above example only represents xauth for vpn client via radius protocol. My VPN client is able to authenticate just fine regardless of the authentication method used. It is the other site-to-site tunnels on the pix that are negatively affected (broken) as they try to use the same authentication method. The objective is to use xauth for vpn clients and not for the site-to-site tunnels. How can this be accomplished without breaking existing VPN tunnels?

Re: Site-to-Site VPN and remote access on PIX 6.3(3)

Most definetely .. this is a very common configuration. The only instruction you need to have is

crypto map outside_map client authentication LOCAL

where outside_map is the map you assigned to your outside interface. This will only apply to remote users. The sit to site tunnels will continur to work as normal.

I hope it helps ... please rate it if it does !!!

New Member

Re: Site-to-Site VPN and remote access on PIX 6.3(3)

Try to match vpn client's crypto map name same as your site to site vpn. I found that you can't have more than one "crypto map "name" interface outside" on the pix. when adding the second one "crypto map name interface outside, it will break the site to site tunnel and you will see the site to site crypto map is replaced by the second crypto map.

e.g:

crypto ipsec transform-set REMOTEVPN_SET esp-3des esp-md5-hmac

crypto dynamic-map REMOTE_dynmap 20 set transform-set REMOTEVPN_SET

crypto map btbvpn 10 ipsec-isakmp

crypto map btbvpn 10 match address 10

crypto map btbvpn 10 set peer 10.x.x.x

crypto map btbvpn 10 set transform-set btbvpn

crypto map btbvpn 20 ipsec-isakmp dynamic REMOTE_dynmap

crypto map btbvpn client authentication ISA_RADIUS

crypto map btbvpn interface outside

Thanks, DJ

Cisco Employee

Re: Site-to-Site VPN and remote access on PIX 6.3(3)

while configuring the isakmp key use the command

isakmp key keystring address peer-address [netmask mask] [no-xauth] [no-config-mode]

no-xauth will tell the isakmp not to do the xauth for the L2L and no-config-mode will tell the isakmp not to distribute ip address to the L2L peer.

Let us know if that works

-Vikas

163
Views
0
Helpful
5
Replies