Hi.. Daniel and Dear All, Must it be GROUP 2 and hash md5 ?? My PIX 515 have 2 existing PIX-PIX connection to other branches, and we were using "isakmp policy 10 group 1" and "isakmp policy 10 hash sha"
If group 2 and hash sha is a must, then I got to ask other branches's PIX admin to change to group 2 and hash md5 as well. >isakmp policy 10 hash md5 >isakmp policy 10 group 2 >From: Daniel Cotts >To: "'Richard Campbell'" , [EMAIL PROTECTED] >Subject: RE: connect home VPN client to PIX 515 [7:69932] >Date: Sat, 31 May 2003 21:20:51 -0500 > >The following config works. If you have other VPNs - such as PIX to PIX - >then put this last. I've sanitized it a bit and hope that I haven't munged >it. I'm using a RADIUS server for individual user authentication. That is >not required. >! >access-list REMOTE_USERS permit ip 10.0.0.0 255.0.0.0 200.200.200.0 >255.255.255.224 >access-list REMOTE_USERS permit ip 192.168.1.0 255.255.255.0 200.200.0.0 >255.255.255.224 >! >ip local pool REMOTE_USERS_POOL 200.200.200.1-200.200.200.30 >! >nat (inside) 0 access-list REMOTE_USERS >! >sysopt connection permit-ipsec >! >crypto ipsec transform-set SET1 esp-des esp-md5-hmac >crypto dynamic-map REMOTE_USERS 30 set transform-set SET1 >! >crypto map FF_fw_int0 30 ipsec-isakmp dynamic REMOTE_USERS >crypto map FF_fw_int0 client authentication AuthInbound >! Uses RADIUS server for individual user authentication >crypto map FF_fw_int0 interface outside >isakmp enable outside >! >isakmp policy 10 authentication pre-share >isakmp policy 10 encryption des >isakmp policy 10 hash md5 >isakmp policy 10 group 2 >isakmp policy 10 lifetime 86400 >vpngroup FF_Remote_Users address-pool REMOTE_USERS_POOL >vpngroup FF_Remote_Users dns-server 10.1.1.1 >vpngroup FF_Remote_Users wins-server 10.1.1.2 >vpngroup FF_Remote_Users default-domain xxx.com >vpngroup FF_Remote_Users split-tunnel REMOTE_USERS >vpngroup FF_Remote_Users idle-time 1800 >vpngroup FF_Remote_Users password ******** > > > -----Original Message----- > > From: Richard Campbell [mailto:[EMAIL PROTECTED] > > Sent: Saturday, May 31, 2003 1:12 AM > > To: [EMAIL PROTECTED] > > Subject: connect home VPN client to PIX 515 [7:69932] > > > > > > Hi.. Group, I just successfully connect to home VPN client 3.X to my > > VPN 3000 concentrator in my HQ in NY, but now I want to use > > it to connect > > to my PIX 515 in my local branch as well. May I know > > > > 1)Whether I can use the same VPN client (which connect to > > VPN3000 conc) > > to connect to my PIX 515 ? > > > > 2)What is the difference between connecting VPN3000 and PIX515, if we > > can connect to PIX515, why should HQ buy VPN3000 just for home users > > to connect? What is the maximum connection to VPN3000 and PIX 515 > > > > 3) I tried to add a few command in my PIX515 in order to make my VPN > > client to connect to my PIX515, but it fail to connect. Error Msg > > and addition config below. May I know any other additional > > config needed? > > > > Failed to establish a secure connection to the security gateway. > > > > ip local pool REMOTEIPPOOLS 192.168.1.241-192.168.1.250 > > > > vpngroup VPNCLIENTS address-pool REMOTEIPPOOLS > > vpngroup VPNCLIENTS dns-server 192.168.1.201 > > vpngroup VPNCLIENTS wins-server 192.168.1.201 > > vpngroup VPNCLIENTS default-domain xyx.com > > vpngroup VPNCLIENTS idle-time 1800 > > vpngroup SGVPNCLIENTS password ******** > > > > 4)I was told that isakmp policy for VPN client 3.X need to be > > dh group 2? > > Is it a must? > > > > isakmp policy 10 authentication pre-share > > isakmp policy 10 encryption des > > isakmp policy 10 hash sha > > isakmp policy 10 group 1 > > isakmp policy 10 lifetime 86400 > > > > _________________________________________________________________ > > STOP MORE SPAM with the new MSN 8 and get 2 months FREE* > > http://join.msn.com/?page=features/junkmail _________________________________________________________________ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=69956&t=69932 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
