.jpg "Opportunities, Appliacation, Openings"){kind=small}
.jpg "Hand Job, Blow Job, Job Search, Monster Job"){kind=small}
.jpg "pusat resume, daftar kerja, cari kerja"){kind=small}
.jpg "Project Manager, SOftware Engineer, SAP Consultant"){kind=small}
L2TP/IPSec Remote Access Problem on PIX V8
Hi.
Here is a config which worked for me pm ASA 7.2(4).
Note that for Windows XP VPN clients you have to stick to DefaultRAGroup tunnel-group whilst for MAC OSX you can have a different name; group-policy may have a non-default name in both cases.
ip local pool vpn_clients x.x.x.x-x.x.x.y mask z.z.z.z
crypto ipsec transform-set l2tp3desmd5 esp-3des esp-md5-hmac crypto ipsec transform-set l2tp3desmd5 mode transport crypto ipsec transform-set l2tp3des esp-3des esp-sha-hmac crypto ipsec transform-set l2tp3des mode transport crypto dynamic-map mymap_l2tp_dyn 12 set transform-set l2tp3desmd5 l2tp3des
crypto map mymap 65535 ipsec-isakmp dynamic mymap_l2tp_dyn crypto map mymap interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp nat-traversal 20
group-policy l2tp_policy internal group-policy l2tp_policy attributes wins-server value x.x.x.x dns-server value y.y.y.y vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value ipsec-my-stunnel default-domain value mydomain.com
group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value x.x.x.x dns-server value y.y.y.y vpn-tunnel-protocol IPSec l2tp-ipsec split-tunnel-policy tunnelspecified split-tunnel-network-list value ipsec-my-stunnel default-domain value mydomain.com
username myuser password ****== nt-encrypted
tunnel-group DefaultRAGroup general-attributes address-pool vpn_clients default-group-policy DefaultRAGroup tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * isakmp keepalive disable isakmp ikev1-user-authentication xauth tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2
HTH A.
eman mansouri said the following on 4/28/2008 5:28 AM: > HI everybody > I do have a PIX 525 with PIX v8 IOS which I am intending to configure it for my Remote users inorder to enable them to connect through the Internet to coprporate LAN and make use of services provided. I have usef my own knowledge , Cisco site Configuration guidlines and asdm 6.3 tool .But the problem is I get the below message using either Windows VPN Connection. > > Jan 01 00:02:09 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match! > Jan 01 00:02:09 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry > > this is the configuration I have done with ASDM. Please help me with it. > I will be happy if you help me with it. > > PIX Version 8.0(3) > ! > hostname pixfirewall > enable password 8Ry2YjIyt7RRXU24 encrypted > names > ! > interface Ethernet0 > nameif inside > security-level 100 > ip address 10.1.1.1 255.255.255.0 > ! > interface Ethernet1 > nameif outside > security-level 0 > ip address 85.x.x.x 255.255.255.224 > ! > access-list OUT-ACCESS extended permit ip any interface outside > access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.224 > > ip local pool VPN-POOL 10.1.1.10-10.1.1.20 mask 255.255.255.0 > > asdm image flash:/asdm-603.bin > > global (outside) 1 interface > nat (inside) 0 access-list inside_nat0_outbound > nat (inside) 1 10.1.1.0 255.255.255.0 > access-group OUT-ACCESS in interface outside > route outside 0.0.0.0 0.0.0.0 85.15.52.1 1 > > dynamic-access-policy-record DfltAccessPolicy > > crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac > crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport > crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac > crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac > crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs > crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_DES_SHA > crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP > crypto map outside_map interface outside > crypto isakmp enable outside > crypto isakmp policy 10 > authentication pre-share > encryption des > hash sha > group 2 > lifetime 86400 > > group-policy VPN-Group internal > group-policy VPN-Group attributes > vpn-tunnel-protocol l2tp-ipsec > default-domain value ibto.ir > username iman password I02l0vJPx1MGTuzMwdwezg== nt-encrypted privilege 0 > username iman attributes > vpn-group-policy VPN-Group > tunnel-group DefaultRAGroup ipsec-attributes > pre-shared-key * > tunnel-group DefaultRAGroup ppp-attributes > authentication pap > no authentication chap > authentication ms-chap-v2 > tunnel-group VPN-Group type remote-access > tunnel-group VPN-Group general-attributes > address-pool VPN-POOL > default-group-policy VPN-Group > tunnel-group VPN-Group ipsec-attributes > pre-shared-key * > isakmp ikev1-user-authentication none > tunnel-group VPN-Group ppp-attributes > authentication pap > no authentication chap > authentication ms-chap-v2 > > > > > _________________________________________________________________ > Invite your mail contacts to join your friends list with Windows Live Spaces. It’s easy! > http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us > > > Pass the CCIE in six weeks, Guaranteed! > http://www.certscience.com/CCIE > _______________________________________________________________________ > Subscription information may be found at: > http://www.groupstudy.com/list/CCIELab.html
Pass the CCIE in six weeks, Guaranteed! http://www.certscience.com/CCIE
