|
|
|
|
|
|||||||
 |
General Help Related Topics - Cisco 2811 Cryptomap multiple policy |
|
|
Thread Tools | Search this Thread |
10-09-2007, 10:06 AM
|
#1 |
Cisco 2811 Cryptomap multiple policy
Hi there,
I need 2 vpn tunnels on the same interface, i'we read that i can use multiple policyies for the same cryptomap, i'we tried it but it is not working. The first VPN is using the Cryptomap CMAPPartner The second VPN is RAS, i must configure it on the same interface fastethernet 0/0 Here is my config. aaa authentication login RAS local ====>for the second VPN aaa authorization network RAS local crypto pki trustpoint TPcsipike enrollment terminal subject-name CN=hostname .VICT.company.co,OU=OSD,O=company,C=RO,ST=Bolgravi a,L=city revocation-check none rsakeypair KPcsipike crypto pki certificate map csipike 10 subject-name co cn = vpn.partner.bu ! crypto pki certificate chain TPcsipike certificate 07 3082033F 30820227 A0030201 02020107 300D0609 2A864886 F70D0101 05050030 8193310B 30090603 55040613 02485531 10300E06 03550408 13074875 6E676172 79310D30 0B060 blabla certificate ca 00EB1C667F096622A9 308204A7 3082038F A0030201 020 ...blabla crypto isakmp policy 1 ====for the first VPN encr 3des group 2 ! crypto isakmp policy 2 ===for the second VPN encr 3des hash md5 authentication pre-share group 2 crypto isakmp identity dn ! crypto isakmp client configuration group My Company NEW ---the second VPN i Need! key gigel99 dns 10.250.0.1 wins 10.250.0.30 pool vpn acl 108 crypto isakmp profile ProfilePartner ca trust-point TPosd match certificate GroupPartner crypto ipsec optional retry 86400 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map CMAPPartner 1 ipsec-isakmp description Tunnel to Partner set peer 12.212.21.21 set transform-set ESP-3DES-SHA set isakmp-profile ProfilePartner match address 100 interface FastEthernet0/0 ip address blabla ip nat outside no ip virtual-reassembly duplex full speed 10 crypto map CMAPPartner hamilka |
|
|
|
|
10-09-2007, 10:21 AM
|
#2 |
|
Junior Member
Join Date: Oct 2007
Posts: 2
|
more details
this are the plicyies
the first VPN tunnel is working fine, the problem is the second one, i know i messed it up somewhere, but i do not know where... #show crypto isakmp policy Global IKE policy Protection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Protection suite of priority 2 encryption algorithm: Three key triple DES hash algorithm: Message Digest 5 authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit this users have to login over ras to this router - the second vpn username user,user password 7 0433455154C0E273C05 username darts.55ti password 7 0253453456B511A57 username Ke534t.ertyltan password 7 003492621340852 hamilka |
|
|
|
|
12-16-2007, 03:08 PM
|
#3 |
|
Member
Join Date: Dec 2007
Posts: 67
|
The VPNs isakmp policy and the ipsec needs to be IDENTICAL. You are missing an ACL that defines what interesting traffic is for when the one side of the network tries to contact the other side. Start by making sure everything is identical if the peer of one side is set to des encryption and the other side of the matching peer is 3des encryption the tunnel will not form.
--G Greeley |
|
|
|
|
12-19-2007, 10:23 PM
|
#4 |
|
Junior Member
Join Date: Dec 2007
Posts: 4
|
i would like to ask you that :
i have an E1 which inludes menagement data of my radio network(each time slot has one network information), and i would like to send this data ,which belongs to separated timeslots , to network menagement server. each timeslot has ip menagement data of separated networks, but no timeslot has any ip.[/b] i can explain like below: 1- we inserted lan data to timeslot but our converter had no ip, so we couldnt assign any ip to this timeslot. but this timeslots data is an ip data!!! so , for this condition, 1 - can i send my e1(31 ts) from one router to another router (each router is in different cities) 2- if i can send this e1 from one router to another router then can i send each of this timeslots to my network menagement server? if you help me, i would be so , so , so happy thank you in advance themanwstw |
|
|
|
|
05-15-2009, 12:36 PM
|
#5 |
|
Junior Member
Join Date: May 2009
Posts: 1
|
Hello
I am facing a similar problem on my box and what i have discovered until now is this...when you have vpn tunnels with mixed authentication for ISAKMP (pre-shared secret and RSA-signature) like you have here, the problem is this line: crypto isakmp identity dn You will find that with that command the vpn tunnel with RSA-signature authentication will work (and the other one not), and without it the shared-secret authentication tunnel will work (and, again, the other one not). This is the case between Cisco and Openswan (between Cisco boxes there are no problems). I don't know about other problems in your config, but this one i am also facing and this is what i have found  Best regards phoenix123 |
|
|
|
|
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Link 2 Pbx and Data through Cisco 2811 | faroz | Hardware | 0 | 04-26-2009 08:34 AM |
| Cisco 837 multiple IP addresses. | seanbranagh | Hardware | 0 | 03-29-2009 11:49 PM |
| CIsco 2811 ipsec passthrough | 4jjj | Hardware | 1 | 08-08-2008 03:40 AM |
| Cisco 2811 wont load static routes | Nik | Hardware | 3 | 12-19-2007 10:24 PM |
| Cisco 506e multiple external IPs? | Archo | Hardware | 1 | 09-26-2006 02:20 PM |
