Re: Pix 515 VPN - cisco Client, site-to-site static and dynamic

harpereric · ‎02-01-2005

I currently have a Pix that I need to have multiple VPN functionality. I have two 515's with static IP addresses and a site to site VPN. One of the 515 also has cisco VPN client's connect to it. Now I need to add the ability to have multiple 501's with dynamically assigned IP addresses connect to it. After seaching around I added the crypto dynamic map statements to the config.

When the remote 501 tries to connect I get a MM_Key_Exch - I have rekeyed both machines and am sure the key is entered correctly.

I ran a debug crypto isakmp and noticed the following error

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:68.x.x.237, dest:67.x.x.35 spt:500 dpt:50

0

ISAKMP: reserved not zero on payload 5!

ISAKMP: malformed payload

crypto_isakmp_process_block:src:68.x.x.237, dest:67.x.x.35 spt:500 dpt:50

0

Also when logging in through the PDM i get an error that i cannot have muliple crypto_dynamic_maps

I have attached the config from the 515 config - with passwords removed and irrelevant info removed.

8dstaicu · ‎02-01-2005

If i'm not wrong, I think you need to change only some seq. numbers:

crypto map TTVPN 10 ipsec-isakmp dynamic pix501

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 10 set transform-set PGMS

harpereric · ‎02-01-2005

the crypto dynamic-map changes went fine. When i changed the crypto map TTVPN 10 ipsec-isakmp dynamic PIX501, it removed the connection to the other 515 and the 501's still are not able to connect.

I have taken out that line and attached the new config, with the other two changes.

jackko · ‎02-01-2005

one thing missing is that the no-nat statement for the new sites.

regardless whether the vpn peer is static or dynamic, no-nat statement is required.

attached is a copy of cisco doco.

8dstaicu · ‎02-02-2005

I think I understand: do you want to use 525 as easevpn server and 501 as easevpn client.

Your current 525 config is able to have lan2lan ipsec tunnel with colopix(206.x.x.33). And also, you can use software vpn client to connect to 525. Both should work. If vpn client is not working, we can look at this.

If it's working, you have to configure 501s to be easevpn client.

All you need is to enter:

vpnclient enable

vpnclient vpngroup TTVPN password whateveritis

vpnclient username username_defined_in_radius password whateveritis_in_radius

And will work, for sure.

8dstaicu · ‎02-02-2005

you will need at least v6.2 (vpnclient appear in this version, i think). for sure it is in v6.3

harpereric · ‎02-02-2005

I tried with the easy VPN client and it only worked in client mode not as a network extension.

I finally got it working.

i changed

crypto map TTVPN 10 ipsec-isakmp dynamic outside_dyn_map

to

crypto map TTVPN 20 ipsec-isakmp dynamic outside_dyn_map

This allowed the connection but no traffic was flowing if though the SA's were negotiated.

I added the following statment to the access list

access-list inside_nat0_outbound permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

after that it worked fine.

Only thing now is that you cannot use the PDM to manage VPN config, not that that's a major issue, but something that should probably be looked at in a future release of the PDM since currently it cannot support multiple dynamic crypto maps

Thanks for all of your assistance.

I have attached the config incase anyone else needs help

Eric

jackko · ‎02-02-2005

it's good to hear that the no-nat statement does help!

harpereric · ‎02-02-2005

Thanks to both of you for taking the time to help me fix this problem.

Eric