04-06-2003 10:07 PM - edited 03-10-2019 07:14 AM
Dear Sir,
I am configuring PIX-to-PIX VPN tunnel using IPSec/IKE and would like to use the PIX local database for authentication, not using external TACACS+ or RADIUS server. Can someone show me what command can be used for PIX local database authentication for PIX-to-PIX VPN tunnel using IPSec? ( just like vpdn command can be used for PPTP or L2TP for PIX local database authenticaion.)
How to configure VPN client in Windows XP to access the remote private network via this PIX-to-PIX VPN tunnel using IPSec?
Thank you very much for your help !
Simon
04-07-2003 09:09 PM
Not sure what you're asking here, cause there is no user authentication in a PIX-to-PIX tunnel.
If you're asking how to set up local user authentication for VPN clients connecting to a PIX with v6.3 code, then use the following commands:
> username
> crypto map
04-08-2003 10:42 AM
Thank you very much for your response. My question is trying to use Windows XP VPN client at inside interface of PIX 525 and try to reach our remote office internal network at inside interface of PIX515 via PIX-to-PIX VPN tunnel using local database authentication ( see the config below that I follow the sample config from Cisco). I add your command to my config and got remote computer did not response after I tried to connect. Can you help to check my config what cause the problem? Thank you again. -Simon
access-list 101 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set mstarset esp-des esp-md5-hmac
crypto map mstarmap 1 ipsec-isakmp
crypto map mstarmap 1 match address 101
crypto map mstarmap 1 set peer 192.168.1.52
crypto map mstarmap 1 set transform-set mstarset
crypto map mstarmap interface outside
isakmp enable outside
isakmp key 123546789 address 192.168.1.52 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
username cisco password pixtest
crypto map mstarmap client authentication LOCAL
04-08-2003 04:38 PM
Still not sure what you're trying to do here. You have a PIX-to-PIX IPSec tunnel, which has nothing to do with user authentication. User authentication, particularly the command I gave you, is for VPN clients connecting into the PIX remotely and accessing internal hosts, it is NOT for a PIX-to-PIX tunnel.
You mention that you are using an XP VPN client on the inside of the PIX, but how are you using this when you already have a PIX-to-PIX tunnel. What are you connecting to and terminating your XP client tunnel on? Whatever this device is is where you need to configure the username authentication stuff.
04-09-2003 08:01 AM
I am sorry confusing you. So you mean user authentication is not needed for PIX-to-PIX IPSec tunnel? Then let me ask my question in a simple way: How to connect remote office internal network (which is at the inside interface of PIX ) through the PIX-to-PIX tunnel from a XP client at inside interface of local PIX?
For example, there is a server with PCAnywhere Host (IP 192.168.10.10) at remote office and I would like to connect to it using PCAnywhere on my local XP client at 172.16. 100.10. I have PIX-to-PIX tunnel configured on both PIX and I could not connect to the PCAnywhere Host at remote office. Below is the PIX-to-PIX tunnel configuration on one of the PIX ( I did not list the config for firewall part because it is working good). Can you help to check what cause the problem? I really appreciate your help and Thank You Very Much Again.
-Simon
access-list 101 permit ip 192.168.100.0 255.255.255.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list 101
sysopt connection permit-ipsec
crypto ipsec transform-set mstarset esp-des esp-md5-hmac
crypto map mstarmap 1 ipsec-isakmp
crypto map mstarmap 1 match address 101
crypto map mstarmap 1 set peer 192.168.1.52
crypto map mstarmap 1 set transform-set mstarset
crypto map mstarmap interface outside
isakmp enable outside
isakmp key 123546789 address 192.168.1.52 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 1000
04-09-2003 07:34 PM
Assuming that routing is configured properly, you should be able to simply connect using the remote hosts IP address. The config you provided seems OK.
Does your local XP machine have a route to the 192.168.10.0 network that points to the inside interface of the PIX? This can either be a default route or a specific route in the hosts routing table.
Similarly, does the remote host have a route to the 172.16.100.0 network that points it to the inside interface of the remote PIX, either via a default route or a specific route?
Are you sure the tunnel is up between these PIX? Can you send a "sho cry ipsec sa" output from either PIX, that'll tell us for sure.
04-09-2003 09:47 PM
First, I thank you for staying late for answering my question.
The default gateway of my local XP machine is pointed to the inside interface of the local PIX (172.16.1.1), and has default route "route outside 0 0 65.22.112.1 1" configured on local PIX. Same thing configured on remote PIX. I am not sure if I answer your question. If not, please let me know what command you expect to be configured in PIX. I think we are getting close to resolve my problem. Below is the output when I do "sho cry ipsec sa" on one PIX:
pix1# sh cry ipsec sa
interface: outside
Crypto map tag: mwavemap, local addr. 4.67.22.2
local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0)
current_peer: 65.197.235.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 4.67.22.2, remote crypto endpt.: 65.197.235.2
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 6c711408
inbound esp sas:
spi: 0xd2796a9b(3531172507)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mwavemap
sa timing: remaining key lifetime (k/sec): (4608000/7807)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6c711408(1819350024)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mwavemap
sa timing: remaining key lifetime (k/sec): (4608000/7798)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
pix1#
Please let me know if the output correct. Thank you again. -Simon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide