PIX VPN: Selecting dynamic crypto maps based on certificate

Discussion in 'Cisco' started by Pondlife, Apr 28, 2008.

  1. Pondlife

    Pondlife Guest

    I am trying to configure a PIX 515e running version 7.0 to support
    both remote access VPN clients and lan-to-lan VPNs. All VPNs must use
    certificate authentication.

    The PIX 515e has a static IP address for its outside interface, but
    all the peers (both remote access clients and lan-to-lan peer
    gateways) have dynamic IP addresses, typically on ADSL connections.

    I think I need multiple dynamic crypto maps - one for each lan-to-lan
    VPN and one for remote access users - but I cannot see how to
    configure the PIX to select the correct crypto map for the lan-2-lan
    VPNs. I would expect to be able to use part of the certificate DN for
    this, like the OU, but I cannot find a way to do this.

    The only reason for requiring multiple dynamic crypto maps is to set
    the local and remote networks for IPsec phase 2. Everything else like
    pfs, transform set, lifetimes etc. is the same for all the VPN
    connections.

    I can get the remote access VPNs working fine, and I can also get
    lan-2-lan VPNs with static peers working fine (using static crypto
    maps with "set peer a.b.c.d" to select the correct map). However I
    cannot get dynamic lan-to-lan VPNs working.

    I can select tunnel groups based on the certificate OU, but there does
    not appear to be any way to select a crypto map from a tunnel group,
    or to set the local and remote networks for Phase 2. Likewise for
    group policy.

    Any thoughts? Is this something that just cannot be done with PIX?

    I can upgrade to version 7.1 or 7.2 (or even 8.0) if necessary, but
    there don't seem to be any new VPN features in these versions that
    help with what I need to do.

    Roy
    Pondlife, Apr 28, 2008
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tical
    Replies:
    2
    Views:
    3,092
    tical
    Dec 2, 2003
  2. c
    Replies:
    2
    Views:
    811
  3. B.T.
    Replies:
    1
    Views:
    9,093
    Walter Roberson
    Oct 19, 2004
  4. Dan Lanciani

    tunnels and crypto maps

    Dan Lanciani, Mar 20, 2006, in forum: Cisco
    Replies:
    0
    Views:
    7,482
    Dan Lanciani
    Mar 20, 2006
  5. Replies:
    0
    Views:
    3,316
Loading...

Share This Page