Help with understanding Transform Sets and Crypto Maps... (PIX/ASA)

Discussion in 'Cisco' started by scooter133@gmail.com, Dec 4, 2008.

  1. Guest

    I over the years with my lack of true understanding, I've added stuff
    to the PIX that I'm real unclear about. NOw I need to add more and
    before I jsut throw in the kitchen sink I'd like to understand more of
    what these thigns really are.


    In a Nutshell I have 6 Types of Clients that I want to Support.
    L2L VPN, Preshare keys PIX 515 to PIX 515 (Static IP on both ends)
    VPN, Preshare keys PIX 515 (Static IP) to PIX 506 (Dynamic IP)
    VPN, Preshare keys PIX 515 (Static IP) to 1700 series router(Dynamic
    IP)
    VPN, Certificate Auth, Cisco VPN Client v4.x & v5.x

    VPN, Preshared Keys/User Auth, L2TP, Vista x64 Client
    VPN, Preshared Keys/User Auth, L2TP, iPHone Client

    Sothe First 4 are working, the last 2 are not. I'm getting the " All
    IPSec SA proposals found unacceptable" error, which all points to the
    Transforms and maps

    I'm not sure why you jsut cant enable everything in one set, or in
    many sets, and then apply the many sets to one Map. I really do not
    understand the Maps and how they relate to groups and tunnel policies.

    For what its worth, here is a list of the Transforms and Maps.

    crypto ipsec transform-set vpnclient_set2 esp-3des esp-md5-hmac
    crypto ipsec transform-set vpnclient_set esp-des esp-md5-hmac
    crypto ipsec transform-set vpn-des-set esp-des esp-md5-hmac
    crypto ipsec transform-set olivet-set esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set scooter133_set esp-des esp-md5-hmac
    crypto ipsec transform-set scooter133_set2 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map dynmap 10 set transform-set vpnclient_set
    vpnclient_set2
    crypto dynamic-map dynmap 10 set security-association lifetime seconds
    28800
    crypto dynamic-map dynmap 10 set security-association lifetime
    kilobytes 4608000
    crypto dynamic-map olivet 1 set transform-set olivet-set
    crypto dynamic-map olivet 1 set security-association lifetime seconds
    3600
    crypto dynamic-map olivet 1 set security-association lifetime
    kilobytes 4608000
    crypto dynamic-map vpn-des 2 set transform-set vpn-des-set
    crypto dynamic-map vpn-des 2 set security-association lifetime seconds
    3600
    crypto dynamic-map vpn-des 2 set security-association lifetime
    kilobytes 4608000
    crypto dynamic-map scooter133 11 set transform-set scooter133_set
    scooter133_set2
    crypto dynamic-map scooter133 11 set security-association lifetime
    seconds 28800
    crypto dynamic-map scooter133 11 set security-association lifetime
    kilobytes 4608000
    crypto map my_cry_map 999 ipsec-isakmp dynamic dynmap
    crypto map vpn-des-dyn-map 21 ipsec-isakmp dynamic vpn-des
    crypto map olivet-dyn-map 20 match address outside-HBG_cryptomap_20
    crypto map olivet-dyn-map 20 set peer <remote IP Address>
    crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA
    crypto map olivet-dyn-map 20 set security-association lifetime seconds
    28800
    crypto map olivet-dyn-map 20 set security-association lifetime
    kilobytes 4608000
    crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet
    crypto map olivet-dyn-map interface outside-HBG


    Any insite would be appreciated.

    Thanks!
     
    , Dec 4, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    2
    Views:
    3,132
    tical
    Dec 2, 2003
  2. B.T.
    Replies:
    1
    Views:
    9,338
    Walter Roberson
    Oct 19, 2004
  3. Dan Lanciani

    tunnels and crypto maps

    Dan Lanciani, Mar 20, 2006, in forum: Cisco
    Replies:
    0
    Views:
    7,522
    Dan Lanciani
    Mar 20, 2006
  4. Pondlife
    Replies:
    0
    Views:
    597
    Pondlife
    Apr 28, 2008
  5. ricardo.ramos

    Crypto maps on ASA for two ISP

    ricardo.ramos, Mar 12, 2009, in forum: Cisco
    Replies:
    0
    Views:
    692
    ricardo.ramos
    Mar 12, 2009
Loading...

Share This Page