A gateway-to-gateway IPsec tunnel from the remote PIX to the hub PIX. This tunnel encrypts the traffic from network behind the remote PIX to network behind the hub PIX. The PC on the Internet can form an IPsec tunnel through the hub PIX to network .
In order to use the Xauth feature, you must first set up your basic authentication, authorization, and accounting (AAA) server. Use the crypto map client authentication command to tell the PIX Firewall to use the Xauth (RADIUS/TACACS+ user name and password) challenge during Phase 1 of Internet Key Exchange (IKE) in order to authenticate IKE. If the Xauth fails, the IKE security association is not established. Specify the same AAA server name within the crypto map client authentication command statement that is specified in the aaa-server command statement. The remote user must run Cisco VPN Client version 3.x. or later.
Note: Cisco recommends you use Cisco VPN Client 3.5.x or later. VPN Client 1.1 does not work with this configuration and is out of the scope of this document.
Note: Cisco VPN Client 3.6 and later does not support the transform set of des/sha.
If you need to restore the configuration without Xauth, use the no crypto map client authentication command. The Xauth feature is not enabled by default.