«

Hello Everybody,

As I'm not so skilled in adding VPN tunnels, could anybody give me some help
understanding my configuration.

I already have a ipsec tunnel working with a site (let's name it SITEA)

In my config i have:

...
access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host
sitea_private_adress
access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host
sitea_private_adress
access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host
sitea_private_adress
access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host
sitea_private_adress
...
nat (inside) 0 access-list acl-nonat
...
crypto ipsec transform-set t_sitea esp-3des esp-md5-hmac
...
crypto map vpn-all 3 match address acl-sitea
crypto map vpn-all 3 set peer sitea_public_adress
crypto map vpn-all 3 set transform-set t_sitea
crypto map vpn-all interface outside
...
crypto isakmp enable outside
...
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 600
...
crypto isakmp nat-traversal 20
...
tunnel-group sitea_public_adress type ipsec-l2l
tunnel-group sitea_public_adress ipsec-attributes
pre-shared-key *
...

This config works fine at this moment.

Now i have to add a second tunnel to an other site, say SITEB.

I'll have to add the access-lists:

access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host
siteb_private_adress
access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host
siteb_private_adress
access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host
siteb_private_adress
access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host
siteb_private_adress

and then the transform set of this site, in this case:

crypto ipsec transform-set t_siteb esp-3des esp-sha-hmac

and now i have trouble with the crypto map...
Do i enter:

crypto map vpn-all 4 ...
or
crypto map vpn_b 3

I do not realy know if i have to take the same name and change the number,
or if i have to change the name for a seconf tunnel ? Can somebody tell me ?

Also, about the policy, is there a link between the policy 3 in my exemple,
and number 3 in my crypto map config ?
If not, how is the link done between SITEA config, and the pocily used as
this moment ?

If SITEB gives me a other policy, how can i do the link between policy (says
4), and the crypto map config ?

Thanks a lot for your advise.

Best regards,

Johan

[perfik]

hi

I can tell you for sure that most of it is right, but that you have to use:
crypto map vpn-all 4 ...
or once you try to bind to the outside interface your first tunnel will go down.
This happened to us recently and we figured out you have to keep the crypto map the same for the command:
crypto map vpn-all interface outside

If anyone knows a way around this, or can verify that this is the correct functioning of the router I would appreciate it. But that is what I have observed to be correct.
I am working towards a similar solution as you and will post my progress..

S