How to add a second IPSEC tunnel to my PIX515

Discussion in 'Cisco' started by Johan Beghein, Oct 1, 2007.

  1. Hello Everybody,

    As I'm not so skilled in adding VPN tunnels, could anybody give me some help
    understanding my configuration.

    I already have a ipsec tunnel working with a site (let's name it SITEA)

    In my config i have:

    ...
    access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host
    sitea_private_adress
    access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host
    sitea_private_adress
    access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host
    sitea_private_adress
    access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host
    sitea_private_adress
    ...
    nat (inside) 0 access-list acl-nonat
    ...
    crypto ipsec transform-set t_sitea esp-3des esp-md5-hmac
    ...
    crypto map vpn-all 3 match address acl-sitea
    crypto map vpn-all 3 set peer sitea_public_adress
    crypto map vpn-all 3 set transform-set t_sitea
    crypto map vpn-all interface outside
    ...
    crypto isakmp enable outside
    ...
    crypto isakmp policy 3
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 600
    ...
    crypto isakmp nat-traversal 20
    ...
    tunnel-group sitea_public_adress type ipsec-l2l
    tunnel-group sitea_public_adress ipsec-attributes
    pre-shared-key *
    ...

    This config works fine at this moment.

    Now i have to add a second tunnel to an other site, say SITEB.

    I'll have to add the access-lists:

    access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host
    siteb_private_adress
    access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host
    siteb_private_adress
    access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host
    siteb_private_adress
    access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host
    siteb_private_adress

    and then the transform set of this site, in this case:

    crypto ipsec transform-set t_siteb esp-3des esp-sha-hmac

    and now i have trouble with the crypto map...
    Do i enter:

    crypto map vpn-all 4 ...
    or
    crypto map vpn_b 3

    I do not realy know if i have to take the same name and change the number,
    or if i have to change the name for a seconf tunnel ? Can somebody tell me ?

    Also, about the policy, is there a link between the policy 3 in my exemple,
    and number 3 in my crypto map config ?
    If not, how is the link done between SITEA config, and the pocily used as
    this moment ?

    If SITEB gives me a other policy, how can i do the link between policy (says
    4), and the crypto map config ?

    Thanks a lot for your advise.

    Best regards,

    Johan
    Johan Beghein, Oct 1, 2007
    #1
    1. Advertising

  2. Johan Beghein

    perfik

    Joined:
    Oct 3, 2007
    Messages:
    2
    hi

    I can tell you for sure that most of it is right, but that you have to use:
    crypto map vpn-all 4 ...
    or once you try to bind to the outside interface your first tunnel will go down.
    This happened to us recently and we figured out you have to keep the crypto map the same for the command:
    crypto map vpn-all interface outside

    If anyone knows a way around this, or can verify that this is the correct functioning of the router I would appreciate it. But that is what I have observed to be correct.
    I am working towards a similar solution as you and will post my progress..

    S
    perfik, Oct 3, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John Ireland
    Replies:
    1
    Views:
    1,038
    Claude LeFort
    Nov 11, 2003
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,072
  3. AM
    Replies:
    7
    Views:
    4,388
    kh_alex81
    Jul 19, 2007
  4. KR
    Replies:
    5
    Views:
    877
  5. AM
    Replies:
    0
    Views:
    443
Loading...

Share This Page