[vpn] Authenticating VPN Client 3.0 to PIX (sans TACACS+, sans Radius, sans CA)
the_martyr at hushmail.com
the_martyr at hushmail.com
Fri Feb 15 18:20:31 EST 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Keith,
Wow! That's service! You could put the Cisco TAC out of business! :)
I'll try it out right away.
Thanks!
Justin
On Fri, 15 Feb 2002 15:16:53 -0500, Keith Pachulski <Keith.Pachulski at corp.ptd.net> wrote:
>quick step by step..don`t shoot me if I goofed somewhere...
>
>Configuring the PIX to terminate IPSEC Connections from the Cisco VPN
>Client v3.x
>
>1. Permit the PIX to accept IPSEC connections
>sysopt connection permit-ipsec
>
>2. Enable ISAKMP on the outside PIX interface
>isakmp enable outside
>
>3. All ISAKMP to identify a remote host by its address
>isakmp identity address
>
>4. Specify the address pool to assign IP Addresses to for VPN
>connections
>isakmp client configuration address-pool local <address-pool> outside
>
>5. Specify pre-share authentication for VPN sessions
>isakmp policy 10 authentication pre-share
>
>6. Specify 3DES for Key Exchange
>isakmp policy 10 encryption 3des
>
>7. Specify MD5 for Key Exchange
>isakmp policy 10 hash md5
>
>8. Specify Diffie-Hellman Group 2 for Key Exchange
>isakmp policy 10 group 2
>
>9. Set the Key Lifetime
>isakmp policy 10 lifetime 86400
>
>10. Create the transform set to specify how traffic is to be encrypted
>crypto ipsec transform-set <transform-name> esp-3des esp-md5-hmac
>
>11. Create the dynamic crypto map to be used for terminating connections
>crypto dynamic-map <dynmap-name> 10 set transform-set <transform-name>
>
>12. Create the ipsec-isakmp crypto map referencing the dynamic map
>crypto map <map name> 10 ipsec-isakmp dynamic <dynmap-name>
>
>13. Define which crypto map should attempt to configure the clients
>crypto map <map name> client configuration address initiate
>crypto map <map name> client configuration address respond
>
>14. Set the interface to accept IPSEC connections
>crypto map <map name> interface outside
>
>#NOTE: For each individual user, a new profile must be created. The
>following 6 steps must be repeated for each user, or there can be one
>single logon for all users with a group logon. Don't blame me, this is
>Cisco's lame design.
>
>1. Specify the address-pool to use for VPN connections
>vpngroup vpnusers address-pool <address-pool>
>
>2. Set the DNS servers for the client
>vpngroup vpnusers dns-server <dns_ip_address>
>
>3. (Optional) Set the WINS server for the client
>vpngroup vpnusers wins-server <wins_ip_address>
>
>4. Domain Name for VPN connections
>vpngroup vpnusers default-domain <domain_name>
>
>5. (Optional) If users wish to access the Internet while accessing the
>VPN Network
>vpngroup vpnusers split-tunnel 101
>
>6. Set the username and password for the user/group
>vpngroup vpnusers password ********
>
>7. Create the IP Pool used for VPN users
>ip local pool <pool name> <address-range>
>
>8. Create the Access-list to permit the VPN users to access the internal
>network
>access-list 101 permit ip <vpn pool> <internal network pool>
>
>9. Create the path to permit ICMP traffic from VPN users to access the
>internal network
>conduit permit icmp <vpn pool> <internal network pool>
>
>10. Apply the access-list to the internal interface
>nat (inside) 0 access-list 101
>
Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wl8EARECAB8FAjxu6SkYHHRoZV9tYXJ0eXJAaHVzaG1haWwuY29tAAoJEBMigTekueWh
EdQAnA2UDUxVSIFFY39jReIk215fknNoAJ9KCaA83MUdzB/DwjSUyVD42ycSEw==
=0Cuz
-----END PGP SIGNATURE-----
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list