I'm trying to terminate IPSEC connections from Windows XP SP1 and the
Cisco VPN client 4.0.5 on the same 2610 (12.3.9a) using a wild-card key.
I want to use xauth for the VPN client connections, but not for the
Windows XP ones since they contain L2TP sessions which will be
authenticated later anyway.
I can get either one working individually, but not both at the same
time, since they require different crypto maps. Here's what I've tried:
vpdn-group <>
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
local <>
no l2tp tunnel authentication
[...]
crypto isakmp key demosaet address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group <>
key <>
dns <>
wins <>
domain <>
pool pool_cvpn
[...]
crypto ipsec transform-set winXP esp-des esp-sha-hmac
mode transform
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto dynamic-map dyn-winXP 10
set transform-set winXP
match address 101
crypto dynamic-map dyn-vpnclient 10
set transform-set vpnclient
match address 102
crypto map winXP 10 ipsec-isakmp dynamic dyn-winXP
crypto map vpn-client client authentication list userauthen
crypto map vpn-client isakmp authorization list groupauthor
crypto map vpn-client client configuration address respond
crypto map vpn-client 10 ipsec-isakmp dynamic dyn-vpnclient
I've discovered that the win2000 crypto map works great on a loopback
(the vpnclient one doesn't).
Either can be made to work on the ethernet interface, so I had hoped to
do the winXP map on loopback 0, and the vpnclient map on ethernet 0.
However, in this configuration, isakmp insists on doing xauth to Windows
XP, even though it's using the transforms from the correct map.
Has anyone got any ideas on how to get this to work?
|
Similar Threads
