01-05-2005 02:44 PM - edited 02-21-2020 01:31 PM
Hello,
I have a customer that needs to have the ability for remote users to access the network as well as setup a site to site VPN. I have a configuration that is nearly complete however I'm only able to have one of the two setups active at any one given time because of the following command:
crypto map user2site interface outside
Has anybody done this or have any tips? Thanks! See config below:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname CA-PIX
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit icmp any anyaccess-list user2site permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list site2site permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 64.***.***.34 255.255.255.248
ip address inside 192.168.17.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.16.1.1-172.16.1.100
pdm location 192.168.17.0 255.255.255.255 inside
pdm location 192.168.17.60 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list user2site
nat (inside) 2 access-list site2site 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.***.***.35 192.168.17.60 netmask 255.255.255.255 0 0
static (inside,outside) 64.***.***.36 192.168.17.61 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.***.***.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.17.0 255.255.255.0 inside
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set CAtransform esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set CAtransform
crypto map user2site 10 ipsec-isakmp dynamic dynmap
crypto map user2site interface outside
crypto map toMiami 20 ipsec-isakmp
crypto map toMiami 20 match address site2site
crypto map toMiami 20 set peer 65.***.***.127
crypto map toMiami 20 set transform-set CAtransform
isakmp enable outside
isakmp key caFL-MI address 65.***.***.127 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup PIX501 address-pool VPN
vpngroup PIX501 dns-server 192.168.17.60
vpngroup PIX501 wins-server 192.168.17.60
vpngroup PIX501 split-tunnel user2site
vpngroup PIX501 idle-time 1800
vpngroup PIX501 password ********
telnet 192.168.17.0 255.255.255.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
terminal width 80
01-05-2005 05:43 PM
Use the same crypto map name for both and it will work.
sincerely
Patrick
01-05-2005 08:31 PM
01-06-2005 08:46 AM
Patrick,
Thank you for your help. I think it's really close now. I'm merged your recommendations with my configuration. PIX takes everything without any problems. For some reason I'm unable to connect from my Cisco VPN client now. The reason from the log is "reason = DEL_REASON_IKE_NEG_FAILED."
See config below:
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ******** encrypted
passwd ******** encrypted
hostname CA-PIX
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list acl_in permit icmp any any
access-list VPN permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list VPN permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list user2site permit ip 192.168.17.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list site2site permit ip 192.168.17.0 255.255.255.0 192.168.18.0 255.255.255.0
pager lines 24
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 68.***.***.52 255.255.255.248
ip address inside 192.168.17.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 172.16.1.1-172.16.1.100
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 64.***.***.35 192.168.17.60 netmask 255.255.255.255 0 0
static (inside,outside) 64.***.***.36 192.168.17.61 netmask 255.255.255.255 0 0
access-group acl_in in interface outside
route outside 0.0.0.0 0.0.0.0 64.136.239.33 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set CAtransform esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 match address user2site
crypto dynamic-map dynmap 20 set transform-set CAtransform
crypto map VPN 20 ipsec-isakmp dynamic dynmap
crypto map VPN interface outside
crypto map VPN 10 ipsec-isakmp
crypto map VPN 10 match address site2site
crypto map VPN 10 set peer 65.***.***.127
crypto map VPN 10 set transform-set CAtransform
isakmp enable outside
isakmp key ******** address 65.***.***.127 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup PIX501 address-pool VPN
vpngroup PIX501 dns-server 192.168.17.60
vpngroup PIX501 wins-server 192.168.17.60
vpngroup PIX501 split-tunnel user2site
vpngroup PIX501 idle-time 1800
vpngroup PIX501 password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
terminal width 80
I've tried using using crypto map VPN 65535... as in your example also.
01-06-2005 10:41 AM
Add:
crypto map VPN 65535 ipsec-isakmp dynamic dynmap
crypto map VPN client authentication LOCAL
Add a local username and password for the authentication:
username vpnclient password vpnclient-password
You may have to reset the Security Assiciation with:
conf t
clear isakmp sa
clear ipsec sa
Take care that resets also the VPN site 2 Site !!!!
Not a good idea in production time.
sincerely
Patrick
01-06-2005 12:38 PM
Thanks again. That didn't seem to make a difference. It does cause a username and password prompt to appear from the VPN client but still disconnects. See log file below:
236 15:33:48.228 01/06/05 Sev=Info/4 CM/0x63100002
Begin connection process
237 15:33:48.238 01/06/05 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
238 15:33:48.238 01/06/05 Sev=Info/4 CM/0x63100024
Attempt connection with server "68.***.***.52"
239 15:33:48.268 01/06/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 68.***.***.52
240 15:33:48.308 01/06/05 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
241 15:33:48.308 01/06/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
242 15:33:48.619 01/06/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Xauth), VID(dpd), VID(Unity), VID(?), KE, ID, NON, VID(?), VID(Nat-T), NAT-D, NAT-D, HASH) from 68.***.***.52
243 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 68.***.***.52
244 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000082
IKE Port in use - Local Port = 0x1194, Remote Port = 0x1194
245 15:33:48.629 01/06/05 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
246 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 68.***.***.52
247 15:33:48.629 01/06/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 68.***.***.52
248 15:33:48.629 01/06/05 Sev=Info/4 CM/0x63100015
Launch xAuth application
249 15:33:51.283 01/06/05 Sev=Info/4 CM/0x63100017
xAuth application returned
250 15:33:51.283 01/06/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 68.***.***.52
251 15:33:51.283 01/06/05 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 68.***.***.52
252 15:33:51.283 01/06/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 68.***.***.52
253 15:33:51.293 01/06/05 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=D6A443ED34B09EC5 R_Cookie=8D058AAA56DE67DF) reason = DEL_REASON_WE_FAILED_AUTH
254 15:33:51.293 01/06/05 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 68.***.***.52
255 15:33:51.844 01/06/05 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=D6A443ED34B09EC5 R_Cookie=8D058AAA56DE67DF) reason = DEL_REASON_WE_FAILED_AUTH
256 15:33:51.844 01/06/05 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "68.***.***.52" because of "DEL_REASON_WE_FAILED_AUTH"
257 15:33:51.864 01/06/05 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
258 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
259 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
260 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
261 15:33:52.344 01/06/05 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
01-06-2005 01:18 PM
A login promt appears that means that the policy negotiation was ok and the first preshared key was accepted.
Looks like authentication your local user authentication failed ! Try to add again a new VPN client profile, reenter the VPN Preshared key
from your VPN group and use the username and password that you defined localy on the PIX.
I suggest you to use the debug commands on the PIX if possible as this gives a much more usefull output.
But take care because this gives a lof of output on the PIX console but that should not crash the PIX !
debug isakmp sa
debug ipsec sa
sincerely
Patrick
01-06-2005 05:44 PM
Your config looks good the only thing that is not correct is the Split Tunnel Access-list.
access-list SplitTunnelACL permit ip vpnpool-net 255.255.255.0 any
vpngroup VPNGroup split-tunnel SplitTunnelACL
I personaly have no example for AES with sha and I never have tryed that is use usually 3DES, Md5 with DH Group 2.
sincerely
Patrick
01-13-2005 07:47 AM
looking at your initial configuration , you have to cryptomaps names, but you only have one crypto apply
to the interfcace , you need to use the same crytpo only with different policies
crypto ipsec transform-set CAtransform esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set CAtransform
crypto map user2site 10 ipsec-isakmp dynamic dynmap
crypto map user2site interface outside
crypto map toMiami 20 ipsec-isakmp
crypto map toMiami 20 match address site2site
crypto map toMiami 20 set peer 65.***.***.127
crypto map toMiami 20 set transform-set CAtransform
this crypto is not apply to the interface
you need something like this
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
!--- Use the crypto-map sequence 10 command for PIX to PIX.
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set peer 209.165.202.129
crypto map mymap 10 set transform-set myset
!--- Use the crypto-map sequence 20 command for PIX to VPN Client.
crypto map mymap 20 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication mytacacs
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 209.165.202.129 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
!--- ISAKMP policy for VPN Client running 3.x code needs to be DH group 2.
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
!--- IPSec group configuration for VPN Client.
vpngroup vpn3000 address-pool mypool
vpngroup vpn3000 dns-server 10.48.66.129
vpngroup vpn3000 wins-server 10.48.66.129
vpngroup vpn3000 default-domain cisco.com
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
hope this helps
more info at
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide