Re: IPSec Question

From: Wayne Hu (wayneccie@xxxxxxxxx)
Date: Mon May 15 2000 - 13:25:17 GMT-3

• Next message: Kinton Connelly: "RE: any last minute tips?"
• Previous message: Aaron DuShey: "AppleTalk filtering"
• Maybe in reply to: xuping: "IPSec Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi, Chad
The thing is they are not behind a Linux firewall.
I did two tests.
1. I tried to VPN tunnel from two computers, the first
one was assigned the IP address 10.1.1.1( ip pool is
from 10.1.1.1 to 10.1.1.25), the second one is
10.1.1.2, each of them has different source address,
when the second computer VPN in, the first one was
kicked off.

2. Then I tried to setup two VPN connections from one
computer to two differenet VPN server ip address, I
see two VPN tunnel in my VPN server come from one
Source address 10.1.1.1, but bad thing is the two
connections can't work at the same time.

Any idea ?

wayne

--- Chad Marsh <chad@wa.net> wrote:
> I have a similar problem with one of my clients, but
> it is because they are
> behind a Linux firewall which is doing PAT, so the
> PIX sees a request from
> the second client, but it is the same IP Address,
> same UDP port 500, same ip
> protocol #50 (ESP), so it thinks that it is the
> first client wanting to
> re-negotiate and exchange new keys.
>
> Chad
>
> ----- Original Message -----
> From: "Wayne Hu" <wayneccie@yahoo.com>
> To: "Chad Marsh" <chad@wa.net>;
> <ccielab@groupstudy.com>
> Sent: Monday, May 15, 2000 7:58 AM
> Subject: Re: IPSec Question
>
>
> > Thanks Chad
> > Mode configuration really works for my mobile
> users,
> > but I had problem to setup more than one user
> > accessing at the same time. It seems the second
> user
> > crash the first user's the connetion, do I have to
> set
> > multiple dynamic crypto map for mutliple users.
> >
> > Thanks
> > wayne
> >
> >
> > --- Chad Marsh <chad@wa.net> wrote:
> > > You'll have to do what Cisco calls a "mode"
> > > configuration, since the host
> > > has a dynamically assigned address, there is no
> way
> > > to program the Router
> > > (assuming it's a router) for what address to
> peer
> > > with on the crypto map.
> > > This way the router assigns a bogus internal
> address
> > > to the client, from a
> > > local pool, then references that address range
> for
> > > the crypto components.
> > >
> > > See here:
> > > http://www.cisco.com/warp/public/707/25.html
> > >
> > > or here for PIX:
> > > http://www.cisco.com/warp/public/110/37.html
> > >
> > > Chad Marsh
> > > CCIE # 5185
> > >
> > >
> > > ----- Original Message -----
> > > From: "Wayne Hu" <wayneccie@yahoo.com>
> > > To: <ccielab@groupstudy.com>
> > > Sent: Saturday, May 13, 2000 3:38 PM
> > > Subject: IPSec Question
> > >
> > >
> > > > Hi,
> > > > I have problem to setup pre-share key on VPN
> host,
> > > > because the Remoute Client using Dial-up ISDN
> with
> > > no
> > > > Static IP address. Can I use wildcard in the
> > > command
> > > > line crypto isakmp key Cisco address 0.0.0.0,
> if
> > > not,
> > > > how can I implement this?
> > > >
> > > > Thanks
> > > >
> > > > wayne
> > > >
> > > >
> > > >
> > > >

• Next message: Kinton Connelly: "RE: any last minute tips?"
• Previous message: Aaron DuShey: "AppleTalk filtering"
• Maybe in reply to: xuping: "IPSec Question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:23:29 GMT-3