There used to be a key value called 'shared secret' that you had to configure on the ACE server as well as the 'requesting' device (and unfortuanately it was plain text). I haven't played with an ACE server for about 5yrs so that may have changed. Pete
d tran wrote: >All, >I am trying to get the RSA ACE Server to authenticate VPN remote >users that terminate VPN connection to my Pix firewall. So far it is >not working and here is my scenario: > >Pix FW: >Outside IP: 12.1.1.100 (netmask /21) >Inside IP: 172.161.254 (netmask /24) >DMZ IP: 172.18.1.254 (netmask /24) > >The IP address of the RSA ACE-Server is 172.18.1.2. Here is the >configuration on my pix firewall. By the way, I am using Pix OS 6.3(1): > >ip local pool test 172.30.1.1-172.30.1.254 >aaa-server radius-authport 1812 >aaa-server radius-acctport 1813 >aaa-server ACE-SERVER protocol radius >aaa-server ACE-SERVER (dmz) host 172.18.1.2 123456 timeout 5 >sysopt connection permit-ipsec >crypto ipsec transform-set set1 ah-md5-hmac esp-des esp-md5-hmac >crypto ipsec transform-set set2 esp-des esp-sha-hmac >crypto ipsec transform-set set3 esp-des esp-md5-hmac >crypto ipsec security-association lifetime seconds 3600 >crypto dynamic-map vpnremote 10 set transform-set set1 set2 set3 >crypto map outside 20 ipsec-isakmp dynamic vpnremote >crypto map outside client configuration address respond >crypto map outside client authentication ACE-SERVER > outside interface outside >isakmp enable outside >isakmp key ******* address 0.0.0.0 netmask 0.0.0.0 >isakmp identity address >isakmp client configuration address-pool local test outside >isakmp policy 10 authentication pre-share >isakmp policy 10 encryption des >isakmp policy 10 hash md5 >isakmp policy 10 group 2 >isakmp policy 10 lifetime 86400 >vpngroup default address-pool test >vpngroup default dns-server 129.174.1.8 >vpngroup default wins-server 129.174.1.8 >vpngroup default default-domain test.com >vpngroup default split-tunnel 100 >vpngroup default split-dns test.com >vpngroup default idle-time 1800 > >The problem is that whenever the pix sends an "access-request" to the >RSA ACE Server, the ACE Server sends back an "access-reject" to the >pix. It seems like the ACE Server thinks that the pix is an >"unauthorized" host to communicate with the ACE Server. Now, I >add the pix as an "Agent Hosts" on the ACE Server (Is this similar to >the clients.conf to FreeRadius?) and it still wouldn't work. Radius is >also running on the ACE Server so I know that the communication is >there. Furthermore, the is NO blocking of communication between the >Pix and the ACE Server. Can someone with experience with ACE Server >help me out with this problem? It has been a frustrating week. > >I am running ACE Server version 5.1 on both Windows 2000 Server. > >D > > >--------------------------------- >Do you Yahoo!? >The New Yahoo! Search - Faster. Easier. Bingo. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70035&t=70035 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]