PIX VPN: Selecting dynamic crypto maps based on certificate

I am trying to configure a PIX 515e running version 7.0 to support both remote access VPN clients and lan-to-lan VPNs. All VPNs must use certificate authentication.

The PIX 515e has a static IP address for its outside interface, but all the peers (both remote access clients and lan-to-lan peer gateways) have dynamic IP addresses, typically on ADSL connections.

I think I need multiple dynamic crypto maps - one for each lan-to-lan VPN and one for remote access users - but I cannot see how to configure the PIX to select the correct crypto map for the lan-2-lan VPNs. I would expect to be able to use part of the certificate DN for this, like the OU, but I cannot find a way to do this.

The only reason for requiring multiple dynamic crypto maps is to set the local and remote networks for IPsec phase 2. Everything else like pfs, transform set, lifetimes etc. is the same for all the VPN connections.

I can get the remote access VPNs working fine, and I can also get lan-2-lan VPNs with static peers working fine (using static crypto maps with "set peer a.b.c.d" to select the correct map). However I cannot get dynamic lan-to-lan VPNs working.

I can select tunnel groups based on the certificate OU, but there does not appear to be any way to select a crypto map from a tunnel group, or to set the local and remote networks for Phase 2. Likewise for group policy.

Any thoughts? Is this something that just cannot be done with PIX?

I can upgrade to version 7.1 or 7.2 (or even 8.0) if necessary, but there don't seem to be any new VPN features in these versions that help with what I need to do.


Reply to
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.