|
Posted by Pondlife on April 28, 2008, 4:50 am
If you were Registered and logged in, you could reply and use other advanced thread options
I am trying to configure a PIX 515e running version 7.0 to support
both remote access VPN clients and lan-to-lan VPNs. All VPNs must use
certificate authentication.
The PIX 515e has a static IP address for its outside interface, but
all the peers (both remote access clients and lan-to-lan peer
gateways) have dynamic IP addresses, typically on ADSL connections.
I think I need multiple dynamic crypto maps - one for each lan-to-lan
VPN and one for remote access users - but I cannot see how to
configure the PIX to select the correct crypto map for the lan-2-lan
VPNs. I would expect to be able to use part of the certificate DN for
this, like the OU, but I cannot find a way to do this.
The only reason for requiring multiple dynamic crypto maps is to set
the local and remote networks for IPsec phase 2. Everything else like
pfs, transform set, lifetimes etc. is the same for all the VPN
connections.
I can get the remote access VPNs working fine, and I can also get
lan-2-lan VPNs with static peers working fine (using static crypto
maps with "set peer a.b.c.d" to select the correct map). However I
cannot get dynamic lan-to-lan VPNs working.
I can select tunnel groups based on the certificate OU, but there does
not appear to be any way to select a crypto map from a tunnel group,
or to set the local and remote networks for Phase 2. Likewise for
group policy.
Any thoughts? Is this something that just cannot be done with PIX?
I can upgrade to version 7.1 or 7.2 (or even 8.0) if necessary, but
there don't seem to be any new VPN features in these versions that
help with what I need to do.
Roy
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map