! TheGreenBow support sample for Cisco PIX 501
! TheGreenBow VPN client does not support Authentication mode with vpngroup and
! password. We provide this configuration in order to avoid use of this mode
! This configuration is given as example. You will need to tune it to your configuration.
! history changes 
!   - 2006-03-21 document creation
!   - 2006-06-31 update

aaa authentication login TGB-USERS local
aaa authentication login TGB-GROUP local
aaa session-id common

ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name xxxxxxxx
ip host xxxxxxx xxx.xxx.xxx.xxx
!
crypto isakmp policy 19 
encr 3des
hash md5
authentication pre-share
group 2
lifetime 1800
crypto isakmp key 6 thegreenbow address xxx.xxx.xxx.xxx
crypto isakmp identity hostname
crypto isakmp keepalive 60 30
crypto isakmp nat keepalive 60
crypto client configuration address-pool local TGB-VIRTUAL-POOL
!
crypto isakmp client configuration group TGB-GROUP
key 0 thegreenbow
dns xxx.xxx.xxx.xxx
wins xxx.xxx.xxx.xxx
pool TGB-VIRTUAL-POOL
!
crypto ipsec transform-set TGB-IPSEC-TRANSFORM esp-3des esp-sha-hmac
!
crypto dynamic-map TGB-CRYPTO-ROADWARRIOR 1
set security-association lifetime seconds 1200
set transform-set TGB-IPSEC-TRANSFORM
set pfs group2
match address xxx.xxx.xxx.xxx
reverse-route
!
crypto map TGB-VPN-SERVER client authentication list TGB-USERS
crypto map TGB-VPN-SERVER isakmp authorization list TGB-USERS
crypto map TGB-VPN-SERVER client configuration address initiate
crypto map TGB-VPN-SERVER client configuration address respond
crypto map TGB-VPN-SERVER 1ipsec-isakmp dynamic TGB-CRYPTO-ROADWARRIOR
!
interface Dialer1
ip address negociated
ip access group CONFIG_DATA_FROM_INTERNET in
ip mtu 1492
ip nat outside
ip inspect RULES_FW in
encapsulation ppp
dialer pool 1
dialer-group 1

no cdp enable
ppp chap hostname XXXXXX
ppp chap password XXXXXXXX

ppp pap sent-username XXXXXXXXX

crypto map TGB-VPN-SERVER

!
ip local pool TGB-VIRTUAL-POOL 192.168.1.1
ip nat inside source list 128 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended CONFIG_DATA_FROM_INTERNET
permit ip host 192.168.1.1 192.168.3.0 0.0.0.255
permit esp any any
permit udp any any eq isakmp

permit udp any any eq non500-isakmp
!

end