Howto Cisco Pix

From Shrew Soft Inc
Jump to: navigation, search


This guide provides information that can be used to configure a Cisco PIX device running firmware version 6.x to support IPsec VPN client connectivity. If you have a PIX device running firmware version 7.x, please consult the HowtoCiscoAsa. The Shrew Soft VPN Client has been tested with Cisco products to ensure interoperability.


The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway.

  • IP Address
  • IP Netmask
  • DNS Servers
  • DNS Default Domain Suffix
  • DNS Split Network Domain List
  • Remote Network Topology

Gateway Configuration

This example assumes you have knowledge of the Cisco PIX gateway command line configuration interface. For more information, please consult your Cisco product documentation.


Two network interfaces are configured. The outside interface has a static public IP address of which faces the internet. The inside interface has a static private IP address that faces the internal private network. The default gateway is configured as via the outside interface.

nameif ethernet0 outside security0
nameif ethernet1 inside security100
ip address outside
ip address inside
route outside 1

Access List

An access lists must be configured to define the IPSec policies. This is expressed with the source matching the local private network(s) and the destination matching the remote client network address pool. A single single local network of and an address pool of is defined.

access-list in2out permit ip

Address Pool

The IP address pool must be configured. Clients will be assigned private network addresses from a class C pool of

ip local pool clientpool mask

User Authentication

User authentication must be configured to support IKE extended authentication ( XAuth ). In this example, we use define user accounts locally on the PIX. It is possible to pass this authentication to a radius or an LDAP account server using the Cisco AAA authentication mechanism. For more information, please consult your cisco product documentation.

aaa-server LOCAL protocol local
username bill password XXX encrypted privilege 2
username bob password XXX encrypted privilege 2

ISAKMP Parameters

The ISAKMP protocol must be enabled on the outside ( public ) interface and an ISAKMP policy must be configured. NAT Traversal is also enabled to allow clients to communicate effectively when their peer address is being translated. The keep alive packet rate is set to 20 seconds.

isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

IPsec Parameters

A transform set and dynamic IPsec crypto map must be configured to support client VPN connections. The dynamic crypto map is then assigned to a standard crypto map and bound to the outside ( public ) interface. Local user authentication is also enabled.

crypto ipsec transform-set trset2 esp-aes-256 esp-md5-hmac
crypto dynamic-map ipsec_map 1 set transform-set trset2
crypto map outside_map 65535 ipsec-isakmp dynamic ipsec_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside

VPN Group

A VPN group must be defined to provide the client with dynamic configuration information. The client uses the VPN group name as its FQDN identity value and the VPN group password as its pre-shared key value.

vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server
vpngroup remoteClient default-domain
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password mypresharedkey

Client Configuration

The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs.

General Tab

The Remote Host section must be configured. This Host Name or IP Address is defined as to match the PIX outside ( public ) interface address. The Auto Configuration mode should be set to ike config pull.

Phase 1 Tab

The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the PIX ISAKMP policy definition.

Authentication Tab

The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.

Local Identity Tab

The Local Identity parameters are defined as Key Identifier with a Key ID String of "remoteClient" to match the PIX VPN group name.

Remote Identity Tab

The Remote Identity parameters are set to IP Address with the Use a discovered remote host address option checked to match the PIX ISAKMP identity parameter.

Credentials Tab

The Credentials Pre Shared Key is defined as "mypresharedkey" to match the PIX VPN group password.

Known Issues

Cisco gateways support a proprietary form of hybrid authentication which does not conform to RFC draft standards. At this time the Shrew Soft VPN Client does not support this authentication mode. We hope to add support for this in the future.




Most of the information in this guide was submitted by Marc Goldburg.