Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
3
Replies

Strange VPN problem

mleinus
Level 1
Level 1

‎03-21-2003 05:29 AM - edited ‎02-21-2020 12:25 PM

Hi all,

I have had this strange VPN problem for a while and cant figure out whats wrong with the config. What we are trying to do is to get 2 pix to contivity connections working and also IPSEC vpn connection with radius authentication. All of these work separately just fine, but when i try to add them all to the config only one of them work and others dont connect or even try to.

here is the config, IP's changed and left out some static and access list entries but as said all of them do work separately just fine.

Any help would be greatly appreciated.

nat (inside) 0 access-list 101

sysopt connection permit-ipsec

access-list 101 permit ip 192.168.20.0 ....

access-list 101 permit ip 192.168.30.0 .....

access-list contivity permit ip ......

access-list contivity2 permit ip ......

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map DYNOMAP 30 set transform-set myset

crypto map IPSEC_map 10 ipsec-isakmp

crypto map IPSEC_map 10 match address contivity

crypto map IPSEC_map 10 set peer 192.168.0.1

crypto map IPSEC_map 10 set transform-set myset

crypto map IPSEC_map 15 ipsec-isakmp

crypto map IPSEC_map 15 match address contivity2

crypto map IPSEC_map 15 set peer 192.168.4.1

crypto map IPSEC_map 15 set transform-set myset

crypto map IPSEC_map 20 ipsec-isakmp dynamic DYNOMAP

crypto map IPSEC_map client configuration address initiate

crypto map IPSEC_map client configuration address respond

crypto map IPSEC_map client authentication RADIUS

crypto map IPSEC_map interface outside

isakmp enable outside

isakmp key ******** address 192.168.0.1 netmask 255.255.255.255

isakmp key ******** address 192.168.4.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup RBIS address-pool pptp-pool

vpngroup RBIS dns-server 192.168.2.1 192.168.3.1

vpngroup RBIS split-tunnel 101

vpngroup RBIS idle-time 1800

vpngroup RBIS password ********

Labels:
0 Helpful
3 Replies 3

kagodfrey
Level 3
Level 3

‎03-21-2003 11:08 AM

Try creating a seperate access list for your split-tunnel, rather than using the same one as you use for nat 0

HTH

0 Helpful

mleinus
Level 1
Level 1
In response to kagodfrey

‎03-27-2003 09:54 PM

Tried this and it still work the same way, this thing is driving me insane, the configurastion works if there is any single one of them in the configuration OR if i first set up the pix to contivity connection and try it so it will establish it, then create the client vpn side. Well it works for a while but then it just stops work after x minutes.

I did try to create the same VPN using the PDM and the results were same as the configuration above (the lines it made were nearly identical exept of some access-list namings it made.

The pix is running version 6.2(2) and PDM is version 2.1(1).

could it be perhaps the version of pix that make it work like this ?

0 Helpful

shannong
Level 4
Level 4
In response to mleinus

‎03-30-2003 07:54 AM

I agree with the first recommendation even it's not currently the problem. That is you should use separate ACLs for NAT 0 and split-tunnel. Anyway....

Have you tried using the [no-xauth] and [no-config-mode ] options for your peer-to-peer connections when defining their keys? Maybe the Pix is trying to do user authentication and IP negotiation with your peers when you throw in the dynamic configuration for clients.

Other than that, I don't see any problems. The Pix can support multiple types of connections on a single interface using sequence numbers.

-Shannon

0 Helpful
Customers Also Viewed These Support Documents