Re: Site-to-Site and Remote Access VPN on Cisco 506 PIX

jaipspl2005 · ‎03-31-2005

Hi,

There are two sites and multiple mobile users for accessing Central Office LAN Infrastructure.One site is India and other site is US.I had configured Site-to-Site VPN between India and US and it's working perfectly ok.There are some mobile users in US, those will use Central Office LAN Infrastructure through Remote Access VPN. The Central Office is located in US.

I have created two diffrent policy i.e. one for Site-to-Site and other for Remote Access.

sysopt connection permit-ipsec

sysopt connection permit-pptp

crypto ipsec transform-set india esp-3des esp-md5-hmac

crypto ipsec transform-set remote esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set remote

crypto map savi_vpn_del 21 ipsec-isakmp

crypto map savi_vpn_del 21 match address <access-list no>

crypto map savi_vpn_del 21 set peer <ip address>

crypto map savi_vpn_del 21 set transform-set india

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

isakmp enable outside

isakmp key <key> address <ip address> netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption 3des

isakmp policy 21 hash md5

isakmp policy 21 group 1

isakmp policy 21 lifetime 86400

vpngroup <group name> address-pool ippool

vpngroup <group name> dns-server <dns server ip address>

vpngroup <group name> default-domain <domain name>

vpngroup <group name> split-tunnel 101

vpngroup <group name> idle-time 1800

vpngroup <group name> password <password>

As soon I am applying both policy to the

outside interface, one of them is overiding to other.It's mean, only one policy can be apply on the

outside interface at one perticular time.

Is any thing wrong with the configuration?

mostiguy · ‎03-31-2005

Yep, there is something wrong with your config, but its fixable.

crypto ipsec transform-set india esp-3des esp-md5-hmac

Remove this line as it is redundant- it specifies the same settings as "remote", and you are using remote currently

crypto map savi_vpn_del 21 ipsec-isakmp

crypto map savi_vpn_del 21 match address

crypto map savi_vpn_del 21 set peer

crypto map savi_vpn_del 21 set transform-set india

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client authentication partnerauth

crypto map mymap interface outside

You have parts of 2 different map configurations. You can only have one named map assigned to an interface. This is the crux of your problem - when you assign (via crypto map xxxxx interface outside, which actually binds xxxx to the outside int) savi_vpn_del, the India tunnel works, when you assign mymap, the vpn clients work.

So, you want:

crypto map new 10 ipsec-isakmp

crypto map new 10 match address _______

crypto map new 10 set peer _______

crypto map new 10 set transform-set remote

crypto map new 20 ipsec-isakmp dynamic dynmap

crypto map new interface outside

This tells the pix to first attempt the site to site tunnel, and failing that, attempt the dynamic configuration - you do this is this order because you do not want your pix to think it needs to assign an ip address to the remote pix, the way it does to dynamic software clients. So, if you need to add any more site to site links, ensure they have a unique map priority value that is below that of the dynamic config (currently 20).

As for the isakmp config, you want to tweak the isakmp key line, and add no-xauth no-config-mode at the end of it to instruct the pix that those functions are not necessary for isakmp negotiation for that peer.

For the rest of the isakmp configuration, I think it should work fine - it will first attempt PFS group 2 (due to the value 10 policy), and if that fails, PFS group 1. You may just want to configure your other pix to use group 2 instead of group 1, and remove the entire isakmp policy 21 stuff, to have a cleaner configuration. Group 2 is a bit more robust security wise at the expense of more computational time (I doubt you would notice the difference. The software clients only support group 2 and 5.

jaipspl2005 · ‎03-31-2005

Thanks a lot.

What about the following line?

crypto dynamic-map dynmap 10 set transform-set remote

Will it be remain same or will change in above config?

mostiguy · ‎04-01-2005

That line is fine as it is referencing the defined remote transform set. The india transform set was unnecessary

jaipspl2005 · ‎04-01-2005

Thanks,

Remote users are authenticated through RADIUS Server.

"crypto map mymap client authentication partnerauth"

So, will it be fine if I use same policy map for site-to-site and remote access vpn or I have to do some changes?

jaipspl2005 · ‎04-24-2005

Hi,

I configured Site-to-Site and Remote Access VPN on Cisco PIX 506E as said erlier.But, after doing above config,I am not able to use either of them.It shows me, remote peer not responding in case of Site-to-Site VPN and remote peer terminates the connection in case of Remote Access VPN.

Authentication happens in case of Remote Access VPN, but we are not able to access remote LAN.

But,when I configured Site-to-Site & Remote Access VPN seperatly, it's work fine.

Pls, advice on the same.