03-20-2002 11:38 AM - edited 02-20-2020 10:00 PM
PIX 515 version 6.0(1)
Site-to-site to Linksys works fine. When Xauth for client tunnels is enabled, the PIX is expecting the Linksys to authenticate with a username/password.
Here is the crypto portion of the config:
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 20 ipsec-isakmp
crypto map mymap 20 match address nonat_sec
crypto map mymap 20 set peer [Linksys IP]
crypto map mymap 20 set transform-set strongestset
crypto map mymap 20 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map mymap interface outside
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap client authentication AuthInbound
isakmp enable outside
isakmp key ******** address [Linksys IP] netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 1
isakmp policy 40 lifetime 86400
It looks like "cry map mymap client" should be authenticated, "cry map mymap 20" should not.
Thoughts?
03-26-2002 05:42 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
03-26-2002 06:20 PM
Josh
for what's worth, remember the rule of thumb on the dynamic crypto map? they should have lower priority which means higher seq-number. also, if you are terminating the VPN client on the same interface as the PIX outsite right? should you use the command:
isakmp key xxxx address PIX'soutside_add no-config-mode to exlude the gateway itself for being authenticated?
what do you think?
03-28-2002 08:48 AM
Haven't tried this with the PIX, but the IOS FW has an extra command 'no-xauth' for lan-lan peers, try:
crypto map mymap 20 set peer [Linksys IP] no-xauth
03-28-2002 12:34 PM
That's it!!
How obvious does something have to be... ;)
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide