Cisco Pix IPsec Vpn's

quackers · 5 Mar 2008 at 10:56

Hi Guys,

I'm hoping someone can give me a quick hand on this, we've got a simple pptp vpn working at the moment and want to upgrade to Ipsc. I've had a look around at guides, other peoples configurations etc and i've cobbled this lot
together. Reckon this would work?

sysopt connection permit-ipsec
sysopt connection permit-l2tp

crypto ipsec transform-set test esp-des esp-md5-hmac
crypto ipsec transform-set test mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 20 match address test
crypto dynamic-map dyna 20 set transform-set test
crypto map mymap 10 ipsec-isakmp dynamic dyna
crypto map mymap client authentication LOCAL
crypto map mymap interface outside

isakmp enable outside
isakmp key <enter key> address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 3600

vpdn group test accept dialin l2tp
vpdn group test ppp authentication chap
vpdn group test ppp authentication mschap
vpdn group test client configuration address remoteippool
vpdn group test client configuration dns <your DNS Server IP>
vpdn group test client authentication local
vpdn username Test1 password <password>
vpdn enable outside

With this command, I take it the key needs to match the key entered on the VPN software at the client? What needs to be in the address field?

isakmp key <enter key> address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Any help with this will be really appreciated

quackers · 5 Mar 2008 at 12:55

Thanks for the link oddjob, it looks like i'm not too far off a working configuration. I wont be using the cisco vpn client, i'll be using the windows one. Would that be a problem, as it supports ipsec?

It also looks like i wont need this command:

isakmp key <enter key> address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

and can use the vpngroup password

quackers · 5 Mar 2008 at 13:48

ah right i see, i'm going to stick the code in a give it a go and i'll report back with my failure lol

quackers · 5 Mar 2008 at 16:29

That's wierd, i've put the code as shown in the cisco document you posted but it's now asking for a certificate ?

quackers · 5 Mar 2008 at 17:31

That's what i thought, i've still got the pptp vpn code in there and that's still working.

could it be down to the encryption it's using? Aes and sha instead of des and md5?

quackers · 6 Mar 2008 at 09:32

Straight away, wont even connect. I'll try it again once i've woke up properly

quackers · 6 Mar 2008 at 10:30

As soon as you try and connect to the IP:

error: 781 the connection requires a certificate, and no valid certificate was found etc

quackers · 6 Mar 2008 at 15:40

i used the vpngroup groupmarketing password ******** command as shown in the documentation, is that the pre shared key and then you also need a user name/password to log on with?

Confused as anything

quackers · 6 Mar 2008 at 16:52

I've used the *** password as the pre-shared key part in the windows xp client and then used the (in the example) groupmarketing as the username and ** as the password.

Should that work? It doesnt seem to be connecting yet

quackers · 6 Mar 2008 at 17:23

I really do need to get hold of a copy of this cisco client and go from there, thanks for the help though oddjob