[vpn] Authenticating VPN Client 3.0 to PIX (sans TACACS+, sans Radius, sans CA)
Keith Pachulski
Keith.Pachulski at corp.ptd.net
Fri Feb 15 15:16:53 EST 2002
quick step by step..don`t shoot me if I goofed somewhere...
Configuring the PIX to terminate IPSEC Connections from the Cisco VPN Client v3.x
1. Permit the PIX to accept IPSEC connections
sysopt connection permit-ipsec
2. Enable ISAKMP on the outside PIX interface
isakmp enable outside
3. All ISAKMP to identify a remote host by its address
isakmp identity address
4. Specify the address pool to assign IP Addresses to for VPN connections
isakmp client configuration address-pool local <address-pool> outside
5. Specify pre-share authentication for VPN sessions
isakmp policy 10 authentication pre-share
6. Specify 3DES for Key Exchange
isakmp policy 10 encryption 3des
7. Specify MD5 for Key Exchange
isakmp policy 10 hash md5
8. Specify Diffie-Hellman Group 2 for Key Exchange
isakmp policy 10 group 2
9. Set the Key Lifetime
isakmp policy 10 lifetime 86400
10. Create the transform set to specify how traffic is to be encrypted
crypto ipsec transform-set <transform-name> esp-3des esp-md5-hmac
11. Create the dynamic crypto map to be used for terminating connections
crypto dynamic-map <dynmap-name> 10 set transform-set <transform-name>
12. Create the ipsec-isakmp crypto map referencing the dynamic map
crypto map <map name> 10 ipsec-isakmp dynamic <dynmap-name>
13. Define which crypto map should attempt to configure the clients
crypto map <map name> client configuration address initiate
crypto map <map name> client configuration address respond
14. Set the interface to accept IPSEC connections
crypto map <map name> interface outside
#NOTE: For each individual user, a new profile must be created. The following 6 steps must be repeated for each user, or there can be one single logon for all users with a group logon. Don't blame me, this is Cisco's lame design.
1. Specify the address-pool to use for VPN connections
vpngroup vpnusers address-pool <address-pool>
2. Set the DNS servers for the client
vpngroup vpnusers dns-server <dns_ip_address>
3. (Optional) Set the WINS server for the client
vpngroup vpnusers wins-server <wins_ip_address>
4. Domain Name for VPN connections
vpngroup vpnusers default-domain <domain_name>
5. (Optional) If users wish to access the Internet while accessing the VPN Network
vpngroup vpnusers split-tunnel 101
6. Set the username and password for the user/group
vpngroup vpnusers password ********
7. Create the IP Pool used for VPN users
ip local pool <pool name> <address-range>
8. Create the Access-list to permit the VPN users to access the internal network
access-list 101 permit ip <vpn pool> <internal network pool>
9. Create the path to permit ICMP traffic from VPN users to access the internal network
conduit permit icmp <vpn pool> <internal network pool>
10. Apply the access-list to the internal interface
nat (inside) 0 access-list 101
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list