03-31-2005 05:35 AM - edited 02-21-2020 01:41 PM
Hi,
There are two sites and multiple mobile users for accessing Central Office LAN Infrastructure.One site is India and other site is US.I had configured Site-to-Site VPN between India and US and it's working perfectly ok.There are some mobile users in US, those will use Central Office LAN Infrastructure through Remote Access VPN. The Central Office is located in US.
I have created two diffrent policy i.e. one for Site-to-Site and other for Remote Access.
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set india esp-3des esp-md5-hmac
crypto ipsec transform-set remote esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set remote
crypto map savi_vpn_del 21 ipsec-isakmp
crypto map savi_vpn_del 21 match address <access-list no>
crypto map savi_vpn_del 21 set peer <ip address>
crypto map savi_vpn_del 21 set transform-set india
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
isakmp enable outside
isakmp key <key> address <ip address> netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption 3des
isakmp policy 21 hash md5
isakmp policy 21 group 1
isakmp policy 21 lifetime 86400
vpngroup <group name> address-pool ippool
vpngroup <group name> dns-server <dns server ip address>
vpngroup <group name> default-domain <domain name>
vpngroup <group name> split-tunnel 101
vpngroup <group name> idle-time 1800
vpngroup <group name> password <password>
As soon I am applying both policy to the
outside interface, one of them is overiding to other.It's mean, only one policy can be apply on the
outside interface at one perticular time.
Is any thing wrong with the configuration?
03-31-2005 07:54 AM
Yep, there is something wrong with your config, but its fixable.
crypto ipsec transform-set india esp-3des esp-md5-hmac
Remove this line as it is redundant- it specifies the same settings as "remote", and you are using remote currently
crypto map savi_vpn_del 21 ipsec-isakmp
crypto map savi_vpn_del 21 match address
crypto map savi_vpn_del 21 set peer
crypto map savi_vpn_del 21 set transform-set india
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication partnerauth
crypto map mymap interface outside
You have parts of 2 different map configurations. You can only have one named map assigned to an interface. This is the crux of your problem - when you assign (via crypto map xxxxx interface outside, which actually binds xxxx to the outside int) savi_vpn_del, the India tunnel works, when you assign mymap, the vpn clients work.
So, you want:
crypto map new 10 ipsec-isakmp
crypto map new 10 match address _______
crypto map new 10 set peer _______
crypto map new 10 set transform-set remote
crypto map new 20 ipsec-isakmp dynamic dynmap
crypto map new interface outside
This tells the pix to first attempt the site to site tunnel, and failing that, attempt the dynamic configuration - you do this is this order because you do not want your pix to think it needs to assign an ip address to the remote pix, the way it does to dynamic software clients. So, if you need to add any more site to site links, ensure they have a unique map priority value that is below that of the dynamic config (currently 20).
As for the isakmp config, you want to tweak the isakmp key line, and add no-xauth no-config-mode at the end of it to instruct the pix that those functions are not necessary for isakmp negotiation for that peer.
For the rest of the isakmp configuration, I think it should work fine - it will first attempt PFS group 2 (due to the value 10 policy), and if that fails, PFS group 1. You may just want to configure your other pix to use group 2 instead of group 1, and remove the entire isakmp policy 21 stuff, to have a cleaner configuration. Group 2 is a bit more robust security wise at the expense of more computational time (I doubt you would notice the difference. The software clients only support group 2 and 5.
03-31-2005 08:48 PM
Thanks a lot.
What about the following line?
crypto dynamic-map dynmap 10 set transform-set remote
Will it be remain same or will change in above config?
04-01-2005 07:04 AM
That line is fine as it is referencing the defined remote transform set. The india transform set was unnecessary
04-01-2005 10:14 PM
Thanks,
Remote users are authenticated through RADIUS Server.
"crypto map mymap client authentication partnerauth"
So, will it be fine if I use same policy map for site-to-site and remote access vpn or I have to do some changes?
04-24-2005 11:51 PM
Hi,
I configured Site-to-Site and Remote Access VPN on Cisco PIX 506E as said erlier.But, after doing above config,I am not able to use either of them.It shows me, remote peer not responding in case of Site-to-Site VPN and remote peer terminates the connection in case of Remote Access VPN.
Authentication happens in case of Remote Access VPN, but we are not able to access remote LAN.
But,when I configured Site-to-Site & Remote Access VPN seperatly, it's work fine.
Pls, advice on the same.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide