Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix to Pix remote access certificate authentication with split-tunnel

I'll try to be as clear and concise as possible.

I am running a pix 515E at my office, and have several remote users with 501s in the field. These folks will have to connect from unknown IPs, therefore I am using a dynamic cryptomap, and I though vpngroup.

I was having issues getting the split-tunnel to take, and after some investigation, I found that the 501s werent connecting as vpngroup clients, therefore the split-tunnel ACLs werent being published to them.

I need to see if there is some way that I can get these PIXs to connect using the certificates, and use their split tunnels. If anyone has a good way to do this, please let me know. I have the PIXs working fine with the cert authentication, and they pass traffic fine, but the users who are on these are unable to get internet while the vpn tunnel is connected.

Thanks in advance


Re: Pix to Pix remote access certificate authentication with spl

PIX Firewall Version 6.3 allows the use of IPsec Main Mode by providing RSA-SIG support for X.509 certificates. To establish a VPN tunnel using certificates, an Easy VPN Server using Cisco IOS software needs to be running IOS version 122-13.T1 or later. Earlier versions of Cisco IOS software do not support the XAUTH RSA-SIG policy that is required for using certificates to establish a VPN tunnel. With previous versions of PIX Firewall used as an Easy VPN Remote, IPSec Aggressive Mode was required so that vpngroup to key mappings could be performed at the Easy VPN Server. With RSA-SIG support, this restriction no longer applies and IPSec Main Mode can be used. Aggressive Mode is used for pre-shared keys and Main Mode is used for RSA-SIG based key exchange.

With PIX Firewall Version 6.3, the default option is RSA-SIG. To use pre-shared keys, enter the following command:

vpnclient vpngroup groupname password preshared_key

PIX Firewall Version 6.3 introduces additional encryption options for use by the Easy VPN Remote. These include Advanced Encryption Standard (AES) and Diffie-Hellman Group 5. Use of these protocols is determined by licensing (3DES, AES) and the use of Main Mode or Aggressive Mode. Diffie-Hellman groups are negotiable only in Main Mode.