anyone ever did this configuration with a ver 7.2 ?; i can make it work :?
what i am trying to do is:
vpn users from windows xp; connecting to pix through L2TP and authenticating to the active directory servers in the inside interface.
anyone ever did this configuration with a ver 7.2 ?; i can make it work :?
what i am trying to do is:
vpn users from windows xp; connecting to pix through L2TP and authenticating to the active directory servers in the inside interface.
First, look here -
(its easier than it sounds)
here is an excerpt from my pix 515e (7.2(1)) config: group-policy VPNGROUPNAME internal group-policy VPNGROUPNAME attributes wins-server value 192.168.x.y dns-server value 192.168.a.b 192.168.a.c vpn-idle-timeout 1440 split-tunnel-policy tunnelspecified split-tunnel-network-list value 10 (split tunnel access-list 10) default-domain value domain.com
crypto ipsec transform-set 3desSHA esp-3des esp-sha-hmac crypto dynamic-map VPNGROUP 10 set transform-set 3desSHA crypto map CRYPTOMAP_NAME 1 ipsec-isakmp dynamic VPNGROUP crypto map CRYPTOMAP_NAME interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 5 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 60 tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) RADIUS
tunnel-group VPNGROUPNAME type ipsec-ra tunnel-group VPNGROUPNAME general-attributes address-pool vpn-pool default-group-policy vpn-group tunnel-group VPNGROUPNAME ipsec-attributes pre-shared-key secretKey
you still have to configure a radius server and split tunnel acl. the radius server should point to your M$ IAS server. also must configure a dhcp pool for the vpns (referenced as 'vpn-pool' above)
HOPE THIS HELPS. (see MS KB for configuring IAS - its not so bad)
Thanks for your help.
I've checked the conf and also used this guide (revised 3 days ago from cisco):
any ideas?
thanks!
By the way, now im just trying to authenticate to LOCAL user database; so its just an L2TP tunneling from windows xp to a PIX 515E and auth to LOCAL.
I've also tried changing the conf and using cisco vpn client; works ok with this type of remote access conf.
regards
I've just found the solution! :)
The xauth option in ASDM wasnt working ok; I need to put it by hand:
isakmp ikev1-user-authentication (outside) xauth
after typing this command the authentication went perfect! :)
hope this helps someone in the future
xabi.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.