cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1210
Views
0
Helpful
4
Replies

PIX is trying to Xauth my site-to-site

JOSH GANT
Level 1
Level 1

PIX 515 version 6.0(1)

Site-to-site to Linksys works fine. When Xauth for client tunnels is enabled, the PIX is expecting the Linksys to authenticate with a username/password.

Here is the crypto portion of the config:

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap 20 ipsec-isakmp

crypto map mymap 20 match address nonat_sec

crypto map mymap 20 set peer [Linksys IP]

crypto map mymap 20 set transform-set strongestset

crypto map mymap 20 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map mymap interface outside

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap client authentication AuthInbound

isakmp enable outside

isakmp key ******** address [Linksys IP] netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash sha

isakmp policy 40 group 1

isakmp policy 40 lifetime 86400

It looks like "cry map mymap client" should be authenticated, "cry map mymap 20" should not.

Thoughts?

4 Replies 4

ciscomoderator
Community Manager
Community Manager

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

srittenberg
Level 1
Level 1

Josh

for what's worth, remember the rule of thumb on the dynamic crypto map? they should have lower priority which means higher seq-number. also, if you are terminating the VPN client on the same interface as the PIX outsite right? should you use the command:

isakmp key xxxx address PIX'soutside_add no-config-mode to exlude the gateway itself for being authenticated?

what do you think?

rmotzer
Level 1
Level 1

Haven't tried this with the PIX, but the IOS FW has an extra command 'no-xauth' for lan-lan peers, try:

crypto map mymap 20 set peer [Linksys IP] no-xauth

That's it!!

How obvious does something have to be... ;)

Thanks!

Review Cisco Networking for a $25 gift card