11-23-2010 05:19 PM
Hi everyone,
I am working on a PIX 515e with 6.3(3)132 installed. I am having an issue configuring a new site-to-site VPN connection with a dynamic VPN already being in place.
The problem is that the crypto map has xauth specified using the "crypto map client authentication" command. As it is my understanding that it's not possible to assign multiple crypto maps to the same interface, the new site-to-site tunnel that I'm creating also requires xauth because its definition is under the same crypto map - Which is a problem because the remote device does not support it.
Is there any way around this issue, or is the only thing we can do is turn off xauth and reconfigure the endpoint on the other end of the dynamic connection?
Thanks in advance
Config snippet:
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 22 ipsec-isakmp
crypto map mymap 22 match address 122
crypto map mymap 22 set peer x.x.x.x
crypto map mymap 22 set transform-set 3des
crypto map mymap client authentication AuthOutbound
crypto map mymap interface outside
Whereas:
crypto map TUN 22 ipsec-isakmp
crypto map TUN 22 match address 122
crypto map TUN 22 set peer x.x.x.x
crypto map TUN 22 set transform-set 3des
crypto map TUN interface outside
Would work, except switching the crypto map interface mapping to TUN would break the dynamic VPN.
Solved! Go to Solution.
11-23-2010 05:56 PM
Hi,
The dynamic crypto map normally requires XAUTH for the VPN clients.
If you want to configure a Site-to-Site tunnel and avoid XAUTH on this tunnel, you can do the following:
crypto isakmp key ######## address x.x.x.x no-xauth
The idea is to disable XAUTH for each specific Site-to-Site peer in this way (the dynamic clients will continue to function with XAUTH).
Federico.
11-23-2010 05:56 PM
Hi,
The dynamic crypto map normally requires XAUTH for the VPN clients.
If you want to configure a Site-to-Site tunnel and avoid XAUTH on this tunnel, you can do the following:
crypto isakmp key ######## address x.x.x.x no-xauth
The idea is to disable XAUTH for each specific Site-to-Site peer in this way (the dynamic clients will continue to function with XAUTH).
Federico.
11-24-2010 11:07 AM
Thank you, Federico!
That did the trick.
11-24-2010 11:26 AM
Glad I could help.
Thank you :-)
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide