[vpn] Authenticating VPN Client 3.0 to PIX (sans TACACS+, sans Radius, sans CA)

Keith Pachulski Keith.Pachulski at corp.ptd.net
Fri Feb 15 15:16:53 EST 2002


quick step by step..don`t shoot me if I goofed somewhere...

Configuring the PIX to terminate IPSEC Connections from the Cisco VPN Client v3.x

1.	Permit the PIX to accept IPSEC connections
sysopt connection permit-ipsec

2.	Enable ISAKMP on the outside PIX interface
isakmp enable outside

3.	All ISAKMP to identify a remote host by its address
isakmp identity address

4.	Specify the address pool to assign IP Addresses to for VPN connections
isakmp client configuration address-pool local <address-pool> outside

5.	Specify pre-share authentication for VPN sessions
isakmp policy 10 authentication pre-share

6.	Specify 3DES for Key Exchange
isakmp policy 10 encryption 3des

7.	Specify MD5 for Key Exchange
isakmp policy 10 hash md5

8.	Specify Diffie-Hellman Group 2 for Key Exchange
isakmp policy 10 group 2

9.	Set the Key Lifetime
isakmp policy 10 lifetime 86400

10.	Create the transform set to specify how traffic is to be encrypted
crypto ipsec transform-set <transform-name> esp-3des esp-md5-hmac

11.	Create the dynamic crypto map to be used for terminating connections
crypto dynamic-map <dynmap-name> 10 set transform-set <transform-name>

12.	Create the ipsec-isakmp crypto map referencing the dynamic map
crypto map <map name> 10 ipsec-isakmp dynamic <dynmap-name>

13.	Define which crypto map should attempt to configure the clients
crypto map <map name> client configuration address initiate
crypto map <map name> client configuration address respond

14.	Set the interface to accept IPSEC connections
crypto map <map name> interface outside

#NOTE: For each individual user, a new profile must be created. The following 6 steps must be repeated for each user, or there can be one single logon for all users with a group logon. Don't blame me, this is Cisco's lame design.

1.	Specify the address-pool to use for VPN connections
vpngroup vpnusers address-pool <address-pool>

2.	Set the DNS servers for the client
vpngroup vpnusers dns-server <dns_ip_address>

3.	(Optional) Set the WINS server for the client
vpngroup vpnusers wins-server <wins_ip_address>

4.	Domain Name for VPN connections
vpngroup vpnusers default-domain <domain_name>

5.	(Optional) If users wish to access the Internet while accessing the VPN Network
vpngroup vpnusers split-tunnel 101

6.	Set the username and password for the user/group
vpngroup vpnusers password ********

7.	Create the IP Pool used for VPN users
ip local pool <pool name> <address-range>

8.	Create the Access-list to permit the VPN users to access the internal network
access-list 101 permit ip <vpn pool> <internal network pool>

9.	Create the path to permit ICMP traffic from VPN users to access the internal network
conduit permit icmp <vpn pool> <internal network pool>

10.	Apply the access-list to the internal interface
nat (inside) 0 access-list 101

VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list