Re: PIX VPN support for Multiple Tunnel Endpoints

pphilosophe · ‎02-22-2001

Can a single internet connection on the Pix support multiple VPN tunnel endpoints to remote offices? In other words, can I connect my pix to a single internet connection using my outside interface, and simultaneously connect several remote VPN offices (such as 1700)?

thegreenwood · ‎02-23-2001

yes,

you should enter different crypto map tags for each location and a different isakmp key for each location

jssekhar · ‎03-14-2001

Hi,

As an extension of the earlier question, I have a PIX firewall acting as a VPN concentrator for multiple VPN tunnels. However the remote ends (spoke ends) are on dial networks.....making it a VPDN connectivity. How can I configure different isakmp key for each VPN customer? Since the remote IPs are not fixed how do I define different keys to different customer in the crypto map?

Will dynamic keys solve my requirement? Also note that currently I do not have any AAA server inside my network.

Sekhar

nguyend · ‎03-14-2001

You can terminate several VPN tunnels to the same PIX without knowing the the end point IP address by specifying a dynamic crypto map:

isakmp key "passphrase" address 0.0.0.0

The 0.0.0.0 address is basically a wildcard allowing your PIX to then try and negotiate a tunnel with an unknown ip address.

jssekhar · ‎03-27-2001

Hi,

Now I understand that dynamic crypto map can be used to provide VPN connection to any unknown customers coming from the internet. But how will I be able to give dynamic keys to each of the VPN connections?

I hope my question is clear. In static crypto map I can give a pre-shared key for authentication. How do I do it when using dynamic maps? Any pointer will be highly appreciated.

This is a pointer I got on CCO. Is this appropriate for my scenario?

http://www.cisco.com/warp/customer/110/pptpcrypto3.html

Thanks

Sekhar