Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
4
Replies

VPN using PIX and VPN Clients ver 1.1 and ver 3.0

daide
Level 1
Level 1

‎08-16-2001 06:05 AM - edited ‎02-21-2020 11:23 AM

I have a VPN using a "PIX to PIX" and "PIX to VPN Clients". I am able to get "PIX to PIX" working along with ver 1.1 of the client but not version 3. I can get version 3 and version 1 working together by swapping around the order of the crypto map statements but then the "PIX to PIX" connection won't come up. Has anybody implemented a VPN with PIX and both clients?

Labels:
0 Helpful
4 Replies 4

pdentico
Level 1
Level 1

‎08-16-2001 07:03 AM

Yes I am doing it now. All I had to do to get Version 3.x working was to add the vpngroup statements. Here is the template I use for PIX to PIX and Client to PIX:

access-list 80 permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 80 permit ip 192.168.2.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 80 permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 80 permit ip 192.168.0.0 255.255.0.0 192.168.200.0 255.255.255.0

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 192.168.2.0 255.255.255.0 10.1.0.0 255.255.0.0

access-list 101 permit ip 192.168.3.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list 80

ip local pool vpnpool 192.168.200.1-192.168.200.254

sysopt connection permit-ipsec

crypto ipsec transform-set vpn3-set esp-3des esp-md5-hmac

crypto dynamic-map remote 20 set transform-set vpn3-set

crypto map vpn-map 18 ipsec-isakmp dynamic remote

crypto map vpn-map 20 ipsec-isakmp

crypto map vpn-map 20 match address 101

crypto map vpn-map 20 set peer xxx.xxx.xxx.xxx

crypto map vpn-map 20 set transform-set vpn3-set

crypto map vpn-map client configuration address initiate

crypto map vpn-map interface outside

isakmp enable outside

isakmp identity hostname

isakmp client configuration address-pool local vpnpool outside

isakmp policy 1 authentication rsa-sig

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 1

isakmp policy 1 lifetime 86400

*******

These are the command I added for Win2K support on client version 3.x:

*******

vpngroup NY address-pool vpnpool

vpngroup NY dns-server 10.1.1.4

vpngroup NY default-domain whatever.com

vpngroup NY split-tunnel 80

vpngroup NY idle-time 1800

vpngroup ny idle-time 1800

I hope this helps you. I got most of this from the config examples on this site

Pete

0 Helpful

daide
Level 1
Level 1
In response to pdentico

‎08-17-2001 02:13 AM

Thanks for the repsonse Pete. It seems the trouble we're having stems from the fact that we're using 56-bit DES rather than 3DES. The VPN Client 3.0 supposedly supports 56-bit DES but in actual fact although the VPN tunnel is established the return packets are not being decrypted resulting in a high number of dumped packets. One workaround I guess is to move to 3DES although this seems like overkill.

0 Helpful

colegul
Level 1
Level 1

‎08-16-2001 09:17 AM

Also, if you deal with different client versions, make sure you have different policies on PIX. You can have more than you need, it doesn't hurt. See Security Tech Tips for how to configure PIX 6.01 with 2 versions of clients.

0 Helpful

daide
Level 1
Level 1

‎08-22-2001 02:07 AM

I got the VPN working with PIX to PIX and PIX to VPN Clients (both versions). During my testing I had used ping to verify connectivity. It seems that using icmp as test traffic caused issues with VPN Client ver 3.0 with traffic not being properly encrypted and decrypted. Once I tested using tcp based traffic I found ecerything worked as expected.

0 Helpful
Customers Also Viewed These Support Documents