PIX 7.2 VPN with kerberos / ldap authentication and authorization

anyone ever did this configuration with a ver 7.2 ?; i can make it work :?

what i am trying to do is:

vpn users from windows xp; connecting to pix through L2TP and authenticating to the active directory servers in the inside interface.

Reply to
Loading thread data ...

First, look here -

formatting link
i've never set up l2tp , but what i've done is set up a vpngroup on the pix (using the vpngroup and crypto commands) and then using xauth to authenticate against microsoft's radius server (IAS), which in turn can use AD.

(its easier than it sounds)

here is an excerpt from my pix 515e (7.2(1)) config: group-policy VPNGROUPNAME internal group-policy VPNGROUPNAME attributes wins-server value 192.168.x.y dns-server value 192.168.a.b 192.168.a.c vpn-idle-timeout 1440 split-tunnel-policy tunnelspecified split-tunnel-network-list value 10 (split tunnel access-list 10) default-domain value domain.com

crypto ipsec transform-set 3desSHA esp-3des esp-sha-hmac crypto dynamic-map VPNGROUP 10 set transform-set 3desSHA crypto map CRYPTOMAP_NAME 1 ipsec-isakmp dynamic VPNGROUP crypto map CRYPTOMAP_NAME interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 60 tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) RADIUS

tunnel-group VPNGROUPNAME type ipsec-ra tunnel-group VPNGROUPNAME general-attributes address-pool vpn-pool default-group-policy vpn-group tunnel-group VPNGROUPNAME ipsec-attributes pre-shared-key secretKey

you still have to configure a radius server and split tunnel acl. the radius server should point to your M$ IAS server. also must configure a dhcp pool for the vpns (referenced as 'vpn-pool' above)

HOPE THIS HELPS. (see MS KB for configuring IAS - its not so bad)

Reply to
john smith

Thanks for your help.

I've checked the conf and also used this guide (revised 3 days ago from cisco):

formatting link
but its imposible to make it work. I can see the phase 1 and phase 2 from the ipsec negotiation but it hangs in the authentication phase. The funny thing is that I cannot see anything while debugging ppp or l2tp. dont know where else I can look.

any ideas?


Reply to

By the way, now im just trying to authenticate to LOCAL user database; so its just an L2TP tunneling from windows xp to a PIX 515E and auth to LOCAL.

I've also tried changing the conf and using cisco vpn client; works ok with this type of remote access conf.


Reply to

I've just found the solution! :)

The xauth option in ASDM wasnt working ok; I need to put it by hand:

isakmp ikev1-user-authentication (outside) xauth

after typing this command the authentication went perfect! :)

hope this helps someone in the future


Reply to

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.