IPSec solution for Cisco803/VPN303 and Dynamic IPaddress

jpmanrique · ‎03-21-2005

Hi,

I need to implement IPsec access from many Cisco 803 boxes (ISDN Access) to a VPN3030 as a Tunnel-end-point box.The problem is that we have dynamic public IP address on the spoke side and EasyVPN remote feature is not supported on Cisco803.I need to implement user/pass authentication for each spoke so I was thinking in IKE aggressive mode but probably is not supported on VPN3030 as tunnel-end-point.Could you confirm this?.I would appreciate any help to find the best IPsec solution for this topology. Thanks in advance!!!!

gfullage · ‎03-21-2005

This sample config should help you out:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00801dd672.shtml

Note that this is for PIX's getting IP address via DHCP, but the concept is exactly the same on the VPN3000. You define a "Default pre-shared key" under the Base Group, and the 803's will match their pre-shared keys to this. This is a LAN-to-LAN setup so there's no way to do user/pass type authentication.

Aggressive mode is not supported for LAN-to-LAN tunnels, and it wouldn't give you user/pass authentication anyway.

jpmanrique · ‎03-22-2005

I see your point but I have new issues.How are other specific groups affected if I reconfigure the base group to support preshared key??. Is it possible to delegate the preshared key authentication to a AAA server??? it seems possible according to config windows. However I am very confused because that's very similar to Aggresive mode.In summary, I would prefer to implement a solution which includes group authentication and user authentication per-router. EasyVPN mode remote with network extension mode is like a LAN-to-LAN but with group and user authentication. If you confirm me that is not possible I would appreciate more information about solution based on Base group config on VPN concentrator. THANKS IN ADVANCE!!!!

jpmanrique · ‎03-22-2005

I apologize for my insistence. I am extremely interested in knowing your opinion about issues included in the previous post. Also, I will appreciate if you can tell me if the EzVPN Remote Mode feature is included in the c803 roadmap. Any information about that or some contact within Cisco will be extremely welcomed.

Thanks in advance,

Juan Pedro Manrique.

gfullage · ‎03-22-2005

Configuring the default pre-shared key under the Base Group won't affect the other groups, they'll continue to use their own password as the pre-shared key for incoming client connections. The only real issue I see with this is that all your 803's will be using the same pre-shared key, but that's not much different to all your VPN clients using the same group password anyway. You also lose the user authentication part, but without EzVPN it's not possible for the 803 to negotiate a username/pass with a standard LAN-to-LAN tunnel config.

It's not currently possible to off-load this default PSK off to a Radius server, and not sure what that would get you anyway.

Agreed that EzVPN is similar to LAN-to-LAN but with group and user authentication, but as you've discovered it is not supported in the 803's. I haven't seen any information saying that it is going to be either. I would recommend you contact your Cisco account team and get them to find out for you, they can also push the issue and possibly get it integrated for you if it is possible.