Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Multiple Site-to-site VPNs

Reply
Thread Tools

Multiple Site-to-site VPNs

 
 
CeykoVer
Guest
Posts: n/a
 
      11-16-2007
Greetings,
I recently tried to get multiple site to site off one PIX ver 6.3 working.
(Other sites are pix 6.3 as well) It LOOKED like ISAKMP was trying, but
never actually worked. I want to be sure I'm configuring everyhting
properly. Basically site A needs a connection to site B and C - each have
different networks that need to be tunneled.

I verified isakmp keys were identical, proper peer addresses, nat0,
connectivity. I just can't figure out why only Site A to B would come up
and site A to C would not. I have another post about what I tried after
this that failed as well. I perplexed, even though I know there has to be
something small/minor wrong. Any ideas will be greatly appreciated.

Assume...
Site A is 172.20.8.0 /24
Site B is 172.20.0.0 /24
Site C is 172.20.16.0 /24
(In RL it is completely jacked up)

Below are the basic configs that I tried...

Site A
access-list outside_crypto_map_13 permit ip 172.20.8.0 255.255.255.0
172.20.0.0 255.255.255.0
access-list outside_crypto_map_14 permit ip 172.20.8.0 255.255.255.0
172.20.16.0 255.255.255.0
!Is this sort of thing valid? Just want it to not translate from that
source to anything
access-list nonat permit ip 172.20.8.0 255.255.255.0 172.16.0.0
255.255.240.0
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 13 ipsec-isakmp
crypto map outside_map 13 match address outside_crypto_map_13
crypto map outside_map 13 set pfs group2
crypto map outside_map 13 set peer 1.1.1.1
crypto map outside_map 13 set transform-set ESP-3DES-SHA
crypto map outside_map 14 ipsec-isakmp
crypto map outside_map 14 match address outside_crypto_map_14
crypto map outside_map 14 set pfs group2
crypto map outside_map 14 set peer 2.2.2.2
crypto map outside_map 14 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Site B
access-list outside_crypto_map_11 permit ip 172.20.0.0 255.255.255.0
172.20.8.0 255.255.255.0
access-list nonat permit ip 172.20.0.0 255.255.255.0 172.20.8.0
255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 11 ipsec-isakmp
crypto map outside_map 11 match address outside_crypto_map_11
crypto map outside_map 11 set pfs group2
crypto map outside_map 11 set peer 3.3.3.3
crypto map outside_map 11 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Site C
access-list outside_crypto_map_13 permit ip 172.20.16.0 255.255.255.0
172.20.8.0 255.255.255.0
access-list nonat permit ip 172.20.16.0 255.255.255.0 172.16.0.0
255.255.240.0
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 13 ipsec-isakmp
crypto map outside_map 13 match address outside_crypto_map_13
crypto map outside_map 13 set pfs group2
crypto map outside_map 13 set peer 3.3.3.3
crypto map outside_map 13 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400


 
Reply With Quote
 
 
 
 
Chino
Guest
Posts: n/a
 
      11-16-2007
You better post a complete debug session, using "debug crypto isakmp" then
trying to bring the VPN up.


"CeykoVer" <(E-Mail Removed)> ha scritto nel messaggio
news:VN8%i.17320$Vp3.14397@trnddc05...
> Greetings,



 
Reply With Quote
 
 
 
 
CeykoVer
Guest
Posts: n/a
 
      11-16-2007

"Chino" <(E-Mail Removed)> wrote in message
news:vem%i.593$(E-Mail Removed)...
> You better post a complete debug session, using "debug crypto isakmp" then
> trying to bring the VPN up.
>
>
> "CeykoVer" <(E-Mail Removed)> ha scritto nel messaggio
> news:VN8%i.17320$Vp3.14397@trnddc05...
>> Greetings,

>
>

When I did that during implementaation I was not able to find anything in
the logs with the peer address. I'll try again next time we give this a
shot. Thank you for the posting up.

Take care


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
pix problem with multiple vpns justin.vassallo@ixaris.co Cisco 2 09-26-2007 08:17 PM
Multiple VPNs on same host chuckbudreau Cisco 0 07-24-2007 03:46 PM
Multiple IPsec VPNs between PIX Al Cisco 7 06-02-2007 08:32 PM
Cisco 2800 - Multiple VPNs Using Virtual-Template AdrianT Cisco 0 12-07-2006 12:20 PM
501 w/ dynamic IP needs multiple VPNs bruce Cisco 0 02-08-2005 08:42 PM



Advertisments