Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site to Site VPN + Dynamic VPN + XAUTH Catch 22

Hi everyone,

I am working on a PIX 515e with 6.3(3)132 installed.  I am having an issue configuring a new site-to-site VPN connection with a dynamic VPN already being in place.

The problem is that the crypto map has xauth specified using the "crypto map client authentication" command.  As it is my understanding that it's not possible to assign multiple crypto maps to the same interface, the new site-to-site tunnel that I'm creating also requires xauth because its definition is under the same crypto map  - Which is a problem because the remote device does not support it.

Is there any way around this issue, or is the only thing we can do is turn off xauth and reconfigure the endpoint on the other end of the dynamic connection?

Thanks in advance

Config snippet:

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap 22 ipsec-isakmp

crypto map mymap 22 match address 122

crypto map mymap 22 set peer x.x.x.x

crypto map mymap 22 set transform-set 3des

crypto map mymap client authentication AuthOutbound

crypto map mymap interface outside

Whereas:

crypto map TUN 22 ipsec-isakmp

crypto map TUN 22 match address 122

crypto map TUN 22 set peer x.x.x.x

crypto map TUN 22 set transform-set 3des

crypto map TUN interface outside

Would work, except switching the crypto map interface mapping to TUN would break the dynamic VPN.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site to Site VPN + Dynamic VPN + XAUTH Catch 22

Hi,

The dynamic crypto map normally requires XAUTH for the VPN clients.

If you want to configure a Site-to-Site tunnel and avoid XAUTH on this tunnel, you can do the following:

crypto isakmp key ######## address x.x.x.x no-xauth

The idea is to disable XAUTH for each specific Site-to-Site peer in this way (the dynamic clients will continue to function with XAUTH).

Federico.

3 REPLIES

Re: Site to Site VPN + Dynamic VPN + XAUTH Catch 22

Hi,

The dynamic crypto map normally requires XAUTH for the VPN clients.

If you want to configure a Site-to-Site tunnel and avoid XAUTH on this tunnel, you can do the following:

crypto isakmp key ######## address x.x.x.x no-xauth

The idea is to disable XAUTH for each specific Site-to-Site peer in this way (the dynamic clients will continue to function with XAUTH).

Federico.

New Member

Re: Site to Site VPN + Dynamic VPN + XAUTH Catch 22

Thank you, Federico!

That did the trick.

Re: Site to Site VPN + Dynamic VPN + XAUTH Catch 22

Glad I could help.


Thank you :-)

Federico.

1245
Views
5
Helpful
3
Replies
CreatePlease to create content