We have replaced a PIX with an ASA and the ASA does not support VPDN - How do I get round this issue apart from moving back to the PIX
Thanks Gary
We have replaced a PIX with an ASA and the ASA does not support VPDN - How do I get round this issue apart from moving back to the PIX
Thanks Gary
Hi Gary,
vpdn command
The vpdn command was removed because support for L2TP/PPTP/PPPoE was removed in PIX Security appliance Version 7.0.
The configuration of old VPDN objects at the group level is accomplished via the tunnel-group and group-policy commands.
Brad Reese BradReese.Com - Cisco Power Supply Headquarters
That doc simply says vpdn vpdn group
pptp echo Not supported PPTP is not supported in PIX Security appliance Version 7.0
vpdn group accept dialin l2tp Not supported L2TP and L2TP over IPSec are not supported in PIX Security appliance Version 7.0.
vpdn group accept dialin pptp Not supported PPTP is not supported in PIX Security appliance Version 7.0
What functionality replaces this???
Gary
It depends what you mean by 'vpdn'.
There is no support for PPTP in any PIX 7.x version so far.
PIX 7.2 added back in support for PPPoE and L2TP over IPSec, neither of which are supported in 7.0 or 7.1; the 7.2 release notes has more information.
Everything else relevant to vpdn was merged into the modular cypto policy framework, such as the tunnel-group command. The conversions are outlined in the documention guiding the transition between
6.x and 7.0.If you could be a bit more specific about the vpdn functionality you need, we might be able to tell you the new commands.
Of course. None of this config would load inti V7 ASA
vpdn group 1 accept dialin pptp vpdn group 1 ppp authentication pap vpdn group 1 ppp authentication chap vpdn group 1 ppp authentication mschap vpdn group 1 pptp echo 60 vpdn group 1 client authentication local vpdn username gary password gary vpdn enable outside terminal width 80
You can't do any of the above in PIX or ASA 7.0, 7.1, or 7.2 -- there is no pptp support at all.
There is local user authentication, but that's not a big issue compared to the above.
address-pool tunnel-group type ipsec-l2l
tunnel-group general-attributes
address-pool [(interface name)] [...]
Converted to tunnel-group syntax
vpngroup
authentication-server Not supported Used on PIX Version 6.3 to pass a AAA server address for Individual User Authentication (IUA), a feature used on the hardware client; PIX Security appliance Version 7.0 proxies the AAA request for the hardware client, and therefore always sends its own address.
vpngroup backup-server
{ [ ... ]} | clear-client-cfg} In the group-policy attribute configuration mode:
[no] backup-servers | clear-client-config | keep-client-configConverted to group-policy syntax
vpngroup
default-domain In the group-policy attribute configuration mode:
[no] default-domain valueConverted to group-policy syntax
vpngroup device-pass-through In the group-policy attribute configuration mode:
ip-phone-bypass
leap-bypass
Converted to group-policy syntax.
The IUA exemption is no longer MAC address based. The administrator can choose to exempt Cisco IP Phones and/or any LEAP data from Individual User Authentication.
vpngroup
dns-server [] In the group-policy attribute configuration mode:
[no] dns-server value [ip_address]Converted to group-policy syntax
vpngroup
idle-time In the group-policy attribute configuration mode:
[no] vpn-idle-timeout | noneConverted to group-policy syntax
vpngroup
max-time In the group-policy attribute configuration mode:
[no] vpn-session-timeout | noneConverted to group-policy syntax
vpngroup
password tunnel-group type ipsec-ra
tunnel-group ipsec-attributes
pre-shared-key
Converted to tunnel-group syntax
vpngroup pfs In the group-policy attribute configuration mode:
pfs
Converted to group-policy syntax
vpngroup
secure-unit-authentication In the group-policy attribute configuration mode:
secure-unit-authentication
Converted to group-policy syntax
vpngroup
split-dns
[ ... ] In the group-policy attribute configuration mode: [no] split-dns valueConverted to group-policy syntax
vpngroup split-tunnel In the group-policy attribute configuration mode:
[no] split-tunnel-network-list valueConverted to group-policy syntax
vpngroup user-authentication In the group-policy attribute configuration mode:
user-authentication
Converted to group-policy syntax
vpngroup
user-idle-timeout In the group-policy attribute configuration mode:
[no] user-authentication-idle-timeout | noneConverted to group-policy syntax
vpngroup
wins-server [] In the group-policy attribute configuration mode:
[no] wins-server value [ip_address]Converted to group-policy syntax
show vpngroup [] show running-config [default] tunnel-group [ [general-attributes | ipsec-attributes | ppp-attributes]]
show running-config [default] group-policy [ [attributes]]
Converted to tunnel-group and group-policy syntax; both commands are used to replace the vpngroup command.
Change Impact This section describes the impact that the changes will have on the CLI commands in PIX Security appliance Version 7.0.
=B7Trustpoints-The concept and syntax of a trustpoint are new for PIX Security appliance Version 7.0. A trustpoint consists of a CA certificate/identity certificate pair and allows the configuration and use of multiple CA certificates and therefore multiple identity certificates on PIX Security appliance Version 7.0. PIX Version 6.3 only supported the configuration and use of a single identity certificate. The following is an example of how the CLI has changed:
PIX Version 6.3 syntax:
ca identity myca 10.10.10.100 10.10.10.110
ca configure myca ca 3 3
The PIX Security appliance Version 7.0 syntax:
crypto ca trustpoint myca
enroll url 10.10.10.100
enrollment mode ca
enrollment retry period 3
enrollment retry count 3
crl required
crl
ldap_defaults 10.10.10.110
exit
exit
=B7Group Management-The vpngroup command is being replaced by the tunnel-group and group-policy commands. The split of configuration data between the tunnel-group and group-policy is intended to facilitate the sharing of group policies. The tunnel group is generally tied to a VPN peer or group of peers. The group policy is then applied to either a single tunnel group or several tunnel groups. An additional benefit is that the group policy can be stored or maintained on an external policy server. All uses of the vpngroup command automatically convert to tunnel-group and group-policy commands. Here is an example of some vpngroup commands converted to the new syntax:
PIX Version 6.3 syntax:
vpngroup group1 address-pool pool1
vpngroup group1 password mypassword
The PIX Security appliance Version 7.0 syntax:
tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
address-pool pool1
tunnel-group group1 ipsec-attributes
pre-shared-key mypassword
PIX Version 6.3 syntax:
crypto map map_name client authenticate aaa_server_group_name
The PIX Security appliance Version 7.0 syntax:
tunnel-group group1 type ipsec-ra
tunnel-group group1 general-attributes
authentication-server-group myservergroup
=B7PPP User Configuration-The configuration of PPP users through the vpdn command is no longer supported, and the command is not supported in PIX Security appliance Version 7.0.
=B7Remote Peers- After upgrading from PIX Version 6.3 to PIX Security appliance Version 7.0, connections fail on the PIX terminating the remote connections from the IOS peers on the dynamic crypto map with certificates. The solution is to change the configuration to force the connecting IOS peers into the ipsec-l2l group.
The following example shows the output when you enter the debug crypto isakmp 50 command, after you perform an upgrade to PIX Security appliance Version 7.0:
.=2E.
[IKEv1], IP =3D x.x.x.x , Connection landed on tunnel_group DefaultRAGroup [IKEv1], Group =3D DefaultRAGroup, IP =3D x.x.x.x Xauthrequired but selected Proposal does not support xauth, Check
priorities of ike xauth proposals in ike proposal list,
.=2E.
=B7Xauth Disabled/Enabled-In PIX Version 6.3, Xauth was disabled by default for dynamic or remote access (client) tunnels, so unless you were using Xauth, there would be no indication of it in your configuration. When you upgrade to PIX Security appliance Version 7.0, the default remote access tunnel-group has Xauth enabled by default, and attempts to authenticate tunnels to the local database. PIX Version
6=2E3 if you terminate dynamic VPN tunnels without Xauth, you must add the following information to your configuration after upgrading to stop Xauth:For the default group:
tunnel-group DefaultRAGroup general-attributes
authentication-server-group none
If any additional tunnel-groups were converted, you should add the following command to each tunnel-group:
tunnel-group general-attributes
authentication-server-group none
Do I assume I leave the old PIX in place just for this - Did Cisco just forget about this? What do others do to get round this issue?
Gary
I don't think Cisco has forgotten about it, but I haven't a clue as to why they did not support PPTP. (Mind you, I have only a dim clue as to why they bothered to support PPTP anyhow, seeing as doing so encourages continued use of Microsoft operating systems...)
SSL VPNs?
Need something that will work from any Internet Cafe in the world.
Thanks - Will work it out somehow,
Gary
You can't count on the Microsoft VPN client being installed.
There are two kinds of SSL VPNs. One of the two should work over any https connection. It would be unusual for internet cafes to block https.
How do I get a VPN up from an INternet cafe without loading say Cisco VPN client?
Gary
WebVPN
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.