Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
270
Views
0
Helpful
1
Replies

Redistributing IPSEC sessions on the Pix

cpalayoor
Level 1
Level 1

‎04-14-2005 12:40 PM - edited ‎02-21-2020 01:43 PM

Hi,

How does one make the PIX redistribute via RIP its VPN connections?

The routes should be established dynamically as the IPSEC tunnels get built up and torn down.

Thanks in advance for any insight.

Regards

Mathew

Labels:
0 Helpful
1 Reply 1

ccarter
Level 1
Level 1

‎04-19-2005 07:08 AM

We have a similar question.

In one office we use a 2651 with a AIM-VPN module to terminate the VPN clients, the route for the client is then entered into the local routing table using ‘reverse-route’ on the crypto map. Distribution is then by EIGRP or OSPF (or RIP if you really want) as per a static route.

crypto dynamic-map mapname 10

set transform-set myset

reverse-route

!

router ospf 100

log-adjacency-changes

redistribute static metric 200 subnets route-map ospf_add

network 192.168.1.0 0.0.0.255 area 0.0.0.0

!

ip local pool vpnippool 192.168.2.1 192.168.2.254

!

access-list 50 permit 192.168.2.0 0.0.0.255

route-map ospf_add permit 20

match ip address 50

This works perfectly. In another office we have a PIX515E-DMZ to terminate the VPN clients.

ip local pool vpnpool1 192.168.4.1-192.168.4.254

crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac

crypto dynamic-map mapname 10 set transform-set trmset1

crypto map map1 10 ipsec-isakmp dynamic mapname

crypto map map1 client configuration address initiate

crypto map map1 client configuration address respond

crypto map map1 client authentication RADIUS

crypto map map1 interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup vpnname address-pool vpnpool1

vpngroup vpnname split-tunnel 102

vpngroup vpnname idle-time 1800

vpngroup vpnname password ********

router ospf 100

network 192.168.3.0 255.255.255.0 area 0.0.1.0

area 0.0.1.0

router-id 192.168.3.1

log-adj-changes

What we want to be able to do is also redistribute the VPN routes via OSPF on the PIX. I read something about RRI being included in version 7 but there are still a couple of bugs that need to be sorted out.

0 Helpful
Customers Also Viewed These Support Documents