There are no specific requirements for this document. Refer to IPsec Between a Static IOS Router and a Dynamic PIX/ASA 7.x with NAT Configuration Example in order to enable the PIX/ASA Security Appliance to accept dynamic IPsec connections from the IOS® router.
#Configuring cisco vpn client series
Refer to IPsec LAN-to-LAN Tunnel on a VPN 3000 Concentrator with a Cisco IOS Router Configured for DHCP Configuration Example to configure the VPN 3000 Concentrator Series in order to create IPsec tunnels dynamically with remote VPN devices that receive dynamic IP addresses on their public interfaces. Refer to LAN-to-LAN Tunnels on a VPN 3000 Concentrator With a PIX Firewall Configured for DHCP to configure the Cisco VPN 3000 Concentrator Series to create IPsec tunnels dynamically with remote Cisco PIX Firewalls that use DHCP to get IP addresses on their public interfaces. Refer to EzVPN Client and Server on the Same Router Configuration Example in order to learn more about the scenario where you can configure a router as an EzVPN Client and server on the same interface. The only difference between spokes is the access-list that references the traffic to be encrypted. The spoke router configuration in this document can be replicated on all other spoke routers that connect into the same hub. Refer to Ability to Disable Xauth for Static IPsec Peers and Configuring IPsec Between Two Routers and a Cisco VPN Client 4.x for more information. Note: You can also use the no-xauth keyword with the crypto isakmp key command to bypass Xauth for LAN-to-LAN peers. ISAKMP profiles are the subject of this configuration.
#Configuring cisco vpn client software
The introduction of ISAKMP profiles in Cisco IOS® Software Release 12.2(15)T makes this configuration possible since you can match on other properties of the connection (VPN Client group, peer IP address, fully qualified domain name, and so forth) rather than just the peer IP address. However, when you disable Xauth, it reduces the ability to authenticate VPN Clients. This is because Xauth for the VPN Client connections do break the LAN-to-LAN connection. Without further configuration, the use of a wild-card pre-shared key on the hub router is not possible in this situation. This is because the ISP often provisions IP addresses dynamically using DHCP on these low-cost connections. The use of Dynamic Host Configuration Protocol (DHCP) is common in situations where the spoke is connected to the Internet via a DSL or cable modem. The spoke router in this scenario obtains its IP address dynamically via DHCP. Cisco VPN Clients also connect to the hub and use Extended Authentication (Xauth).
This configuration shows a LAN-to-LAN configuration between two routers in a hub-spoke environment.
0 kommentar(er)
