On Fri, 17 Dec 2004 17:40:08 +0100, Meidinger Chris
<chris.meidinger@badenit.de> wrote:
Hello List,
i have a question that is probably fairly simple. I have a PIX which should
accept VPN connections from Cisco VPN Clients as well as tunnel to various
other devices. This works partly, but i can't figure out how to add more
than one crypto map to an interface (seems impossible from
documentation/faq's) or how to add authentication to just one part of a
crypto map.
Config is (sanitized):
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set companytransform esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto map companymap 21 ipsec-isakmp
crypto map companymap 21 match address outside_cryptomap_1
crypto map companymap 21 set peer 10.1.1.1
crypto map companymap 21 set transform-set badenovatransform
crypto map companymap 22 ipsec-isakmp dynamic outside_dyn_map
crypto map companymap interface outside
vpngroup testgroup address-pool client-pool
vpngroup testgroup idle-time 1800
vpngroup testgroup password ********
With this config everyting works, but VPN Clients authenticate only on
Group/PSK and do not require a user password. I would like to require a user
password.
So, i need to add something like the following command:
crypto map companymap client authentication LOCAL
in order to get the VPN-Clients to require a password. That would, however,
kill the PSK-Based tunnel.
Originally i wanted to use 2 crypto-maps, but that doesn't seem to work on
one interface.
Does anyone have a tip? I'm probably missing something obvious, but maybe if
someone could point it out ...
Thanks,
Chris
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800948b8.shtml
Should show you the way.
crypto map companymap 21 set transform-set badenovatransform
That transform does not exist- was that supposed to be sanitized?
