There used to be a key value called 'shared secret' that you had to
configure on the ACE server as well as the 'requesting' device (and
unfortuanately it was plain text). I haven't played with an ACE server
for about 5yrs so that may have changed.
Pete
d tran wrote:
All,
I am trying to get the RSA ACE Server to authenticate VPN remote
users that terminate VPN connection to my Pix firewall. So far it is
not working and here is my scenario:
Pix FW:
Outside IP: 12.1.1.100 (netmask /21)
Inside IP: 172.161.254 (netmask /24)
DMZ IP: 172.18.1.254 (netmask /24)
The IP address of the RSA ACE-Server is 172.18.1.2. Here is the
configuration on my pix firewall. By the way, I am using Pix OS 6.3(1):
ip local pool test 172.30.1.1-172.30.1.254
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server ACE-SERVER protocol radius
aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5
sysopt connection permit-ipsec
crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac
crypto ipsec transform-set set2 esp-des esp-sha-hmac
crypto ipsec transform-set set3 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3
crypto map outside 20 ipsec-isakmp dynamic vpnremote
crypto map outside client configuration address respond
crypto map outside client authentication ACE-SERVER
outside interface outside
isakmp enable outside
isakmp key *** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local test outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup default address-pool test
vpngroup default dns-server 129.174.1.8
vpngroup default wins-server 129.174.1.8
vpngroup default default-domain test.com
vpngroup default split-tunnel 100
vpngroup default split-dns test.com
vpngroup default idle-time 1800
The problem is that whenever the pix sends an access-request to the
RSA ACE Server, the ACE Server sends back an access-reject to the
pix. It seems like the ACE Server thinks that the pix is an
unauthorized host to communicate with the ACE Server. Now, I
add the pix as an Agent Hosts on the ACE Server (Is this similar to
the clients.conf to FreeRadius?) and it still wouldn't work. Radius is
also running on the ACE Server so I know that the communication is
there. Furthermore, the is NO blocking of communication between the
Pix and the ACE Server. Can someone with experience with ACE Server
help me out with this problem? It has been a frustrating week.
I am running ACE Server version 5.1 on both Windows 2000 Server.
D
-
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=70035t=70035
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
