Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1808
Views
5
Helpful
3
Replies

Site to Site VPN + Dynamic VPN + XAUTH Catch 22

Go to solution
cschweiter
Level 1
Level 1

‎11-23-2010 05:19 PM

Hi everyone,

I am working on a PIX 515e with 6.3(3)132 installed.  I am having an issue configuring a new site-to-site VPN connection with a dynamic VPN already being in place.

The problem is that the crypto map has xauth specified using the "crypto map client authentication" command.  As it is my understanding that it's not possible to assign multiple crypto maps to the same interface, the new site-to-site tunnel that I'm creating also requires xauth because its definition is under the same crypto map  - Which is a problem because the remote device does not support it.

Is there any way around this issue, or is the only thing we can do is turn off xauth and reconfigure the endpoint on the other end of the dynamic connection?

Thanks in advance

Config snippet:

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap 22 ipsec-isakmp

crypto map mymap 22 match address 122

crypto map mymap 22 set peer x.x.x.x

crypto map mymap 22 set transform-set 3des

crypto map mymap client authentication AuthOutbound

crypto map mymap interface outside

Whereas:

crypto map TUN 22 ipsec-isakmp

crypto map TUN 22 match address 122

crypto map TUN 22 set peer x.x.x.x

crypto map TUN 22 set transform-set 3des

crypto map TUN interface outside

Would work, except switching the crypto map interface mapping to TUN would break the dynamic VPN.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-23-2010 05:56 PM

Hi,

The dynamic crypto map normally requires XAUTH for the VPN clients.

If you want to configure a Site-to-Site tunnel and avoid XAUTH on this tunnel, you can do the following:

crypto isakmp key ######## address x.x.x.x no-xauth

The idea is to disable XAUTH for each specific Site-to-Site peer in this way (the dynamic clients will continue to function with XAUTH).

Federico.

View solution in original post

3 Replies 3

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-23-2010 05:56 PM

Hi,

The dynamic crypto map normally requires XAUTH for the VPN clients.

If you want to configure a Site-to-Site tunnel and avoid XAUTH on this tunnel, you can do the following:

crypto isakmp key ######## address x.x.x.x no-xauth

The idea is to disable XAUTH for each specific Site-to-Site peer in this way (the dynamic clients will continue to function with XAUTH).

Federico.

Go to solution
cschweiter
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-24-2010 11:07 AM

Thank you, Federico!

That did the trick.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to cschweiter

‎11-24-2010 11:26 AM

Glad I could help.


Thank you :-)

Federico.

0 Helpful
Customers Also Viewed These Support Documents