Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > How to add a second IPSEC tunnel to my PIX515

Reply
Thread Tools

How to add a second IPSEC tunnel to my PIX515

 
 
Johan Beghein
Guest
Posts: n/a
 
      10-01-2007
Hello Everybody,

As I'm not so skilled in adding VPN tunnels, could anybody give me some help
understanding my configuration.

I already have a ipsec tunnel working with a site (let's name it SITEA)

In my config i have:

...
access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host
sitea_private_adress
access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host
sitea_private_adress
access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host
sitea_private_adress
access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host
sitea_private_adress
...
nat (inside) 0 access-list acl-nonat
...
crypto ipsec transform-set t_sitea esp-3des esp-md5-hmac
...
crypto map vpn-all 3 match address acl-sitea
crypto map vpn-all 3 set peer sitea_public_adress
crypto map vpn-all 3 set transform-set t_sitea
crypto map vpn-all interface outside
...
crypto isakmp enable outside
...
crypto isakmp policy 3
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 600
...
crypto isakmp nat-traversal 20
...
tunnel-group sitea_public_adress type ipsec-l2l
tunnel-group sitea_public_adress ipsec-attributes
pre-shared-key *
...

This config works fine at this moment.

Now i have to add a second tunnel to an other site, say SITEB.

I'll have to add the access-lists:

access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host
siteb_private_adress
access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host
siteb_private_adress
access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host
siteb_private_adress
access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host
siteb_private_adress

and then the transform set of this site, in this case:

crypto ipsec transform-set t_siteb esp-3des esp-sha-hmac

and now i have trouble with the crypto map...
Do i enter:

crypto map vpn-all 4 ...
or
crypto map vpn_b 3

I do not realy know if i have to take the same name and change the number,
or if i have to change the name for a seconf tunnel ? Can somebody tell me ?

Also, about the policy, is there a link between the policy 3 in my exemple,
and number 3 in my crypto map config ?
If not, how is the link done between SITEA config, and the pocily used as
this moment ?

If SITEB gives me a other policy, how can i do the link between policy (says
4), and the crypto map config ?

Thanks a lot for your advise.

Best regards,

Johan




 
Reply With Quote
 
 
 
 
perfik perfik is offline
Junior Member
Join Date: Oct 2007
Posts: 2
 
      10-03-2007
hi

I can tell you for sure that most of it is right, but that you have to use:
crypto map vpn-all 4 ...
or once you try to bind to the outside interface your first tunnel will go down.
This happened to us recently and we figured out you have to keep the crypto map the same for the command:
crypto map vpn-all interface outside

If anyone knows a way around this, or can verify that this is the correct functioning of the router I would appreciate it. But that is what I have observed to be correct.
I am working towards a similar solution as you and will post my progress..

S
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
One IPsec tunnel and no ISAKMP tunnel. AM Cisco 7 07-19-2007 03:11 PM
Debugging an IPSec tunnel on PIX515 KR Cisco 5 08-10-2005 06:41 PM
Split Tunnel Blocks http through tunnel but passes http around tunnel a.nonny mouse Cisco 2 09-19-2004 12:10 AM
Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. John Ireland Cisco 1 11-11-2003 04:47 PM



Advertisments