PIX VPN: Selecting dynamic crypto maps based on certificate

PIX VPN: Selecting dynamic crypto maps based on certificate

NewsGroups | Search | Tools
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
PIX VPN: Selecting dynamic crypto maps based on certificate Pondlife 04-28-2008
Posted by Pondlife on April 28, 2008, 4:50 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I am trying to configure a PIX 515e running version 7.0 to support
both remote access VPN clients and lan-to-lan VPNs. All VPNs must use
certificate authentication.

The PIX 515e has a static IP address for its outside interface, but
all the peers (both remote access clients and lan-to-lan peer
gateways) have dynamic IP addresses, typically on ADSL connections.

I think I need multiple dynamic crypto maps - one for each lan-to-lan
VPN and one for remote access users - but I cannot see how to
configure the PIX to select the correct crypto map for the lan-2-lan
VPNs. I would expect to be able to use part of the certificate DN for
this, like the OU, but I cannot find a way to do this.

The only reason for requiring multiple dynamic crypto maps is to set
the local and remote networks for IPsec phase 2. Everything else like
pfs, transform set, lifetimes etc. is the same for all the VPN
connections.

I can get the remote access VPNs working fine, and I can also get
lan-2-lan VPNs with static peers working fine (using static crypto
maps with "set peer a.b.c.d" to select the correct map). However I
cannot get dynamic lan-to-lan VPNs working.

I can select tunnel groups based on the certificate OU, but there does
not appear to be any way to select a crypto map from a tunnel group,
or to set the local and remote networks for Phase 2. Likewise for
group policy.

Any thoughts? Is this something that just cannot be done with PIX?

I can upgrade to version 7.1 or 7.2 (or even 8.0) if necessary, but
there don't seem to be any new VPN features in these versions that
help with what I need to do.

Roy


Similar ThreadsPosted
tunnels and crypto maps March 20, 2006, 1:42 am
virtual tunnel interfaces / crypto maps June 11, 2008, 12:23 pm
Certificate based VPN August 21, 2008, 12:40 pm
Multiple crypto maps on a 3825 router interface February 8, 2007, 12:12 pm
HowTo select the certificate for web-based authentication (HTTPS-cert) December 6, 2006, 7:10 am
help with selecting equipment January 4, 2006, 9:30 am
Selecting the right image for a 3550 June 7, 2006, 9:17 am
Cisco Announces Industry's First Network-Based, Standards- Based Rapid Channel-Change..... December 26, 2006, 11:36 am
VPN between peers with dynamic IP address and dynamic DNS February 4, 2008, 12:28 pm
policy-maps? January 5, 2005, 7:45 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map