Cisco 2811 Cryptomap multiple policy

Discussion in 'General Computer Support' started by hamilka, Oct 9, 2007.

  1. hamilka

    hamilka

    Joined:
    Oct 9, 2007
    Messages:
    2
    Hi there,
    I need 2 vpn tunnels on the same interface,
    i'we read that i can use multiple policyies for the same cryptomap, i'we tried it but it is not working.

    The first VPN is using the Cryptomap CMAPPartner
    The second VPN is RAS, i must configure it on the same interface fastethernet 0/0

    Here is my config.

    aaa authentication login RAS local ====>for the second VPN
    aaa authorization network RAS local

    crypto pki trustpoint TPcsipike
    enrollment terminal
    subject-name CN=hostname .VICT.company.co,OU=OSD,O=company,C=RO,ST=Bolgravia,L=city
    revocation-check none
    rsakeypair KPcsipike

    crypto pki certificate map csipike 10
    subject-name co cn = vpn.partner.bu
    !
    crypto pki certificate chain TPcsipike
    certificate 07
    3082033F 30820227 A0030201 02020107 300D0609 2A864886 F70D0101 05050030
    8193310B 30090603 55040613 02485531 10300E06 03550408 13074875 6E676172
    79310D30 0B060 blabla

    certificate ca 00EB1C667F096622A9
    308204A7 3082038F A0030201 020 ...blabla

    crypto isakmp policy 1 ====for the first VPN
    encr 3des
    group 2
    !
    crypto isakmp policy 2 ===for the second VPN
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp identity dn
    !
    crypto isakmp client configuration group My Company NEW ---the second VPN i Need!
    key gigel99
    dns 10.250.0.1
    wins 10.250.0.30
    pool vpn
    acl 108

    crypto isakmp profile ProfilePartner
    ca trust-point TPosd
    match certificate GroupPartner

    crypto ipsec optional retry 86400
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map CMAPPartner 1 ipsec-isakmp
    description Tunnel to Partner
    set peer 12.212.21.21
    set transform-set ESP-3DES-SHA
    set isakmp-profile ProfilePartner
    match address 100

    interface FastEthernet0/0
    ip address blabla
    ip nat outside
    no ip virtual-reassembly
    duplex full
    speed 10
    crypto map CMAPPartner
     
    hamilka, Oct 9, 2007
    #1
    1. Advertising

  2. hamilka

    hamilka

    Joined:
    Oct 9, 2007
    Messages:
    2
    more details

    this are the plicyies
    the first VPN tunnel is working fine,
    the problem is the second one,
    i know i messed it up somewhere, but i do not know where...
    #show crypto isakmp policy

    Global IKE policy
    Protection suite of priority 1
    encryption algorithm: Three key triple DES
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #2 (1024 bit)
    lifetime: 86400 seconds, no volume limit
    Protection suite of priority 2
    encryption algorithm: Three key triple DES
    hash algorithm: Message Digest 5
    authentication method: Pre-Shared Key
    Diffie-Hellman group: #2 (1024 bit)
    lifetime: 86400 seconds, no volume limit
    Default protection suite
    encryption algorithm: DES - Data Encryption Standard (56 bit keys).
    hash algorithm: Secure Hash Standard
    authentication method: Rivest-Shamir-Adleman Signature
    Diffie-Hellman group: #1 (768 bit)
    lifetime: 86400 seconds, no volume limit

    this users have to login over ras to this router - the second vpn

    username user,user password 7 0433455154C0E273C05
    username darts.55ti password 7 0253453456B511A57
    username Ke534t.ertyltan password 7 003492621340852
     
    hamilka, Oct 9, 2007
    #2
    1. Advertising

  3. hamilka

    Greeley

    Joined:
    Dec 16, 2007
    Messages:
    67
    The VPNs isakmp policy and the ipsec needs to be IDENTICAL. You are missing an ACL that defines what interesting traffic is for when the one side of the network tries to contact the other side. Start by making sure everything is identical if the peer of one side is set to des encryption and the other side of the matching peer is 3des encryption the tunnel will not form.

    --G
     
    Greeley, Dec 16, 2007
    #3
  4. hamilka

    themanwstw

    Joined:
    Dec 19, 2007
    Messages:
    4
    i would like to ask you that :

    i have an E1 which inludes menagement data of my radio network(each time slot has one network information), and i would like to send this data ,which belongs to separated timeslots , to network menagement server.

    each timeslot has ip menagement data of separated networks, but no timeslot has any ip.[/B]

    i can explain like below:

    1- we inserted lan data to timeslot but our converter had no ip, so we couldnt assign any ip to this timeslot. but this timeslots data is an ip data!!!

    so , for this condition,

    1 - can i send my e1(31 ts) from one router to another router (each router is in different cities)
    2- if i can send this e1 from one router to another router then can i send each of this timeslots to my network menagement server?
    if you help me, i would be so , so , so happy

    thank you in advance
     
    themanwstw, Dec 19, 2007
    #4
  5. hamilka

    phoenix123

    Joined:
    May 15, 2009
    Messages:
    1
    Hello
    I am facing a similar problem on my box and what i have discovered until now is this...when you have vpn tunnels with mixed authentication for ISAKMP (pre-shared secret and RSA-signature) like you have here, the problem is this line:

    crypto isakmp identity dn

    You will find that with that command the vpn tunnel with RSA-signature authentication will work (and the other one not), and without it the shared-secret authentication tunnel will work (and, again, the other one not). This is the case between Cisco and Openswan (between Cisco boxes there are no problems).
    I don't know about other problems in your config, but this one i am also facing and this is what i have found :)
    Best regards
     
    phoenix123, May 15, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. stevelup
    Replies:
    0
    Views:
    2,083
    stevelup
    Aug 4, 2005
  2. Tyler Cobb
    Replies:
    6
    Views:
    18,750
    Tyler Cobb
    Oct 19, 2005
  3. cisco
    Replies:
    0
    Views:
    399
    cisco
    Apr 3, 2007
  4. Tyler Cobb
    Replies:
    1
    Views:
    766
    dawnad
    Oct 9, 2005
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    590
    bod43
    Jul 27, 2009
Loading...

Share This Page