Multiple Site-to-site VPNs

Discussion in 'Cisco' started by CeykoVer, Nov 16, 2007.

  1. CeykoVer

    CeykoVer Guest

    Greetings,
    I recently tried to get multiple site to site off one PIX ver 6.3 working.
    (Other sites are pix 6.3 as well) It LOOKED like ISAKMP was trying, but
    never actually worked. I want to be sure I'm configuring everyhting
    properly. Basically site A needs a connection to site B and C - each have
    different networks that need to be tunneled.

    I verified isakmp keys were identical, proper peer addresses, nat0,
    connectivity. I just can't figure out why only Site A to B would come up
    and site A to C would not. I have another post about what I tried after
    this that failed as well. I perplexed, even though I know there has to be
    something small/minor wrong. Any ideas will be greatly appreciated.

    Assume...
    Site A is 172.20.8.0 /24
    Site B is 172.20.0.0 /24
    Site C is 172.20.16.0 /24
    (In RL it is completely jacked up)

    Below are the basic configs that I tried...

    Site A
    access-list outside_crypto_map_13 permit ip 172.20.8.0 255.255.255.0
    172.20.0.0 255.255.255.0
    access-list outside_crypto_map_14 permit ip 172.20.8.0 255.255.255.0
    172.20.16.0 255.255.255.0
    !Is this sort of thing valid? Just want it to not translate from that
    source to anything
    access-list nonat permit ip 172.20.8.0 255.255.255.0 172.16.0.0
    255.255.240.0
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 13 ipsec-isakmp
    crypto map outside_map 13 match address outside_crypto_map_13
    crypto map outside_map 13 set pfs group2
    crypto map outside_map 13 set peer 1.1.1.1
    crypto map outside_map 13 set transform-set ESP-3DES-SHA
    crypto map outside_map 14 ipsec-isakmp
    crypto map outside_map 14 match address outside_crypto_map_14
    crypto map outside_map 14 set pfs group2
    crypto map outside_map 14 set peer 2.2.2.2
    crypto map outside_map 14 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 1.1.1.1 netmask 255.255.255.255
    isakmp key ******** address 2.2.2.2 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    Site B
    access-list outside_crypto_map_11 permit ip 172.20.0.0 255.255.255.0
    172.20.8.0 255.255.255.0
    access-list nonat permit ip 172.20.0.0 255.255.255.0 172.20.8.0
    255.255.255.0
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map outside_map 11 ipsec-isakmp
    crypto map outside_map 11 match address outside_crypto_map_11
    crypto map outside_map 11 set pfs group2
    crypto map outside_map 11 set peer 3.3.3.3
    crypto map outside_map 11 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    Site C
    access-list outside_crypto_map_13 permit ip 172.20.16.0 255.255.255.0
    172.20.8.0 255.255.255.0
    access-list nonat permit ip 172.20.16.0 255.255.255.0 172.16.0.0
    255.255.240.0
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map outside_map 13 ipsec-isakmp
    crypto map outside_map 13 match address outside_crypto_map_13
    crypto map outside_map 13 set pfs group2
    crypto map outside_map 13 set peer 3.3.3.3
    crypto map outside_map 13 set transform-set ESP-3DES-SHA
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp key ******** address 3.3.3.3 netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    CeykoVer, Nov 16, 2007
    #1
    1. Advertising

  2. CeykoVer

    Chino Guest

    You better post a complete debug session, using "debug crypto isakmp" then
    trying to bring the VPN up.


    "CeykoVer" <> ha scritto nel messaggio
    news:VN8%i.17320$Vp3.14397@trnddc05...
    > Greetings,
    Chino, Nov 16, 2007
    #2
    1. Advertising

  3. CeykoVer

    CeykoVer Guest

    "Chino" <> wrote in message
    news:vem%i.593$...
    > You better post a complete debug session, using "debug crypto isakmp" then
    > trying to bring the VPN up.
    >
    >
    > "CeykoVer" <> ha scritto nel messaggio
    > news:VN8%i.17320$Vp3.14397@trnddc05...
    >> Greetings,

    >
    >

    When I did that during implementaation I was not able to find anything in
    the logs with the peer address. I'll try again next time we give this a
    shot. Thank you for the posting up.

    Take care
    CeykoVer, Nov 16, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bruce
    Replies:
    0
    Views:
    441
    bruce
    Feb 8, 2005
  2. Chris
    Replies:
    3
    Views:
    501
    Blake
    Jul 24, 2006
  3. BobLaubleau
    Replies:
    1
    Views:
    723
    BobLaubleau
    Sep 12, 2006
  4. AdrianT
    Replies:
    0
    Views:
    2,115
    AdrianT
    Dec 7, 2006
  5. babzek
    Replies:
    1
    Views:
    645
    babzek
    Aug 24, 2007
Loading...

Share This Page