Building VPN's: Static/Dynamic//IOS/PIX/Cisco VPN Client/ all at the same time

Discussion in 'Cisco' started by hk, Nov 25, 2003.

  1. hk

    hk Guest


    I have the following problem. I have 2 IOS-Router (1721 with 12.2(?))
    with static IP addresses each. These two are statically interconnected
    by IPSec, ISAKMP and preshared keys.

    Next there is an PIX (501 with PIXOS 6.2) that dials into the internet
    (dsl) and thus has a dynamic IP adress. This PIX is conncected to both
    IOS routers by IPSec, ISAKMP and preshared keys. On the routers are
    for this to get working dynamic crypto maps and the statement "crypto
    isakmp key sEcReT address". There is no AAA Server
    (neither RADIUS nor TACACS+) in the internetwork.

    Up to now everything works fine, no problem.

    My task now is to connect multiple mobile users with Cisco VPN Clients
    to one of the routers. These VPN Clients require as configuration the
    statements "crypto isakmp client configuration group groupname" and
    the subsequent commands, especially the key for the group, an ip pool
    an acl and so on. So far, no problem.

    My problem starts now: How can I tell the router for my incoming IKE
    Negotiation NOT to take the shared-secret for my PIX but the
    groupname/key for the clients? I cannot restrict the address range for
    PIX-Key (""crypto isakmp key sEcReT address"), because
    I don't know what the next address will be.

    I tried different possibilities, for example XAuth. Using the
    "no-XAUTH" statement in conjunction with the key for the other
    IOS-router, I could let the VPN Clients connect, but only after
    removing the key for the PIX. As soon as the key is back (with the Clients can't connect anymore.

    Trying to use the Easy VPN Remote Feature on the PIX, to let it behave
    like a VPN Client, is not working, because the PIX needs to connect to
    the two different IOS-router at two different sites. Afaik the PIX can
    only connect to one site using Easy VPN Remote.

    Has anybody a suggestion on how to go on?

    Has anyone i.e. expirience with the new "crypto isakmp profile", where
    you can use not only ip addresses and hostnames but additionally group
    names and usernames (fqdn) as match criteria. Would this be a
    potential solution?

    Thank you very much for your help.
    hk, Nov 25, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.