[c-nsp] IOS IPSec
Jon Lewis
jlewis at lewis.org
Wed May 31 19:05:27 EDT 2006
I seem to have run into a wall with an IPSec config and am wondering if
I'm doing it wrong or if IOS just doesn't do what our customer wants.
They have a PIX-515 and several cisco routers. The PIX is setup with
several IPSec "tunnels" to these routers, each of which has a different
set of RFC1918 IPs on their LAN. That part works fine. The PIX also
allows dynamic IPSec clients (cisco VPN Client) via a vpngroup. Clients
need only specify the vpngroup ID and the PSK, and they get an IP from a
pool on the PIX.
The client wants to add this ability for dynamic IPSec clients on the
2801. I can't seem to get that working without breaking the crypto map
that allows the LAN on the 2801 to talk to the LAN behind the PIX. Can
IOS (C2801-ADVENTERPRISEK9-M) do a dynamic crypto map without XAUTH?
Following an example using XAUTH was the only way I could get get Cisco
VPN Client to connect to the 2801...but then the 2801 wants the PIX to do
XAUTH.
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml
----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
More information about the cisco-nsp
mailing list