Hi.. Daniel and Dear all, Thanks for the guide. May I know whether Remote VPN client to PIX515 can be authenticated by my W2K server or not? I recall I can in VPN3000. I am not familiar about RADIUS. May I ask whether I should install a RADIUS server on my network or the PIX515 itself can act as the RADIUS server to authenticate? (I prefer to authenticate locally in PIX515 without install radius server)
>From the config shown below, what is aaa.bbb.ccc.10 ? a IP address of RADIUS server? can we make authentication done locally in PIX515? aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout 10 >From: Daniel Cotts >To: "'Richard Campbell'" , [EMAIL PROTECTED] >Subject: RE: multiple isakmp policies question-No authentication [7:69996] >Date: Mon, 2 Jun 2003 18:25:38 -0500 > >In the following config RADIUS is used to authenticate the Clients. IIRC >The >group password is sufficient to allow a client to connect - although not >too >secure as all clients would have one password. >crypto map FF_fw_int0 client authentication AuthInbound >aaa-server RADIUS protocol radius >aaa-server AuthInbound protocol radius >aaa-server AuthInbound (inside) host aaa.bbb.ccc.10 PASSWORD HERE timeout >10 > > > -----Original Message----- > > From: Richard Campbell [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 02, 2003 8:07 AM > > To: [EMAIL PROTECTED] > > Subject: RE: multiple isakmp policies question-No authentication > > [7:69996] > > > > > > Hey... thanks.. finally I got response from my PIX515, but > > it just hang at > > securing communication channel stage (see below) and it > > doesn't authenticate > > the users. What config should I add to point it to my > > authentication server > > 192.168.1.201? For your info, my VPN client is installed at > > Win95 and my > > authentication server is a W2K server. > > > > Initializing the connection... > > Contacting the gateway at 100.100.100.101... > > Negotiating security policies... > > Securing communication channel... > > > > I remember in VPN3000 server, I need to specify the > > authentication server > > for VPN group, but why in PIX515 sample on the net, why it > > doesn't have this > > entry > > > > >From: Andrew Larkins > > > > > >from what I remember about this, they will try each policy > > until a match is > > >amde, otherwise the connection terminates > > > > > >-----Original Message----- > > >From: Richard Campbell [mailto:[EMAIL PROTECTED] > > > > > >hey.. I have a PIX 515 and have a PIX to PIX connection to > > London and NY > > >using pre-shared key des, hash sha and dh group 1 and I am > > going to let > > >VPN3000 client 3.X connect to here as here and I created > > another isakmp > > >policy 20, with hash md5, dh group 2 as shown below. Can u > > take a look > > >whether the config is correct? > > > > > >And my question is I have 2 isakmp policies here, how does > > the PIX-PIX and > > >VPN 3000 3.X client know which isakmp policy to take? > > > > > >crypto ipsec transform-set newset esp-des > > >crypto dynamic-map dynmap 30 set transform-set newset > > >crypto map newmap 10 ipsec-isakmp > > >crypto map newmap 10 match address 101 > > >crypto map newmap 10 set peer nyapix > > >crypto map newmap 10 set transform-set newset > > >crypto map newmap 20 ipsec-isakmp > > >crypto map newmap 20 match address 102 > > >crypto map newmap 20 set peer ldnpix > > >crypto map newmap 20 set transform-set newset > > >crypto map newmap 30 ipsec-isakmp dynamic dynmap > > >crypto map newmap interface outside > > >isakmp enable outside > > >isakmp key ******** address ldnpix netmask 255.255.255.255 > > >isakmp key ******** address nyapix netmask 255.255.255.255 > > >isakmp identity address > > >isakmp policy 10 authentication pre-share > > >isakmp policy 10 encryption des > > >isakmp policy 10 hash sha > > >isakmp policy 10 group 1 > > >isakmp policy 10 lifetime 86400 > > > > > >isakmp policy 20 authentication pre-share > > >isakmp policy 20 encryption des > > >isakmp policy 20 hash md5 > > >isakmp policy 20 group 2 > > >isakmp policy 20 lifetime 86400 > > > > > >vpngroup CLIENTS address-pool REMOTEIPPOOLS > > >vpngroup CLIENTS dns-server 192.168.1.201 > > >vpngroup CLIENTS wins-server 192.168.1.201 > > >vpngroup CLIENTS default-domain xyz.com > > >vpngroup CLIENTS idle-time 1800 > > >vpngroup CLIENTS password ******** > > > > > >_________________________________________________________________ > > >Protect your PC - get McAfee.com VirusScan Online > > >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 > > _________________________________________________________________ > > Add photos to your messages with MSN 8. Get 2 months FREE*. > > http://join.msn.com/?page=features/featuredemail _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70034&t=70034 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
