how to config more than one site-to-site VPN in my PIX515E

Discussion in 'Cisco' started by Benson, Apr 21, 2005.

  1. Benson

    Benson Guest

    Hi,

    I want to set up some site-to-site VPN in my PIX515E, but do not know
    how to configure the VPN gateway, like this:

    PIX506E ---- PIX515E ------PIX506E
    Site A Site B Site C


    The configurations of Site A & Site C are simple; but I do not know
    how to configure the PIX515E of Site B;

    The configure of PIX515E:

    crypto ipsec transform-set strong esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map CPOffice 1000 ipsec-isakmp
    crypto map CPOffice 1000 match address Traffic_To_CPOffice
    crypto map CPOffice 1000 set peer CP_OFFICE_VPN
    crypto map CPOffice 1000 set transform-set strong
    crypto map LNet 1001 ipsec-isakmp
    crypto map LNet 1001 match address log_Traf_ToTunnel
    crypto map LNet 1001 set peer Log_Net_VPN
    crypto map LNet 1001 set transform-set ESP-3DES-MD5
    crypto map LNet interface outside
    isakmp enable outside
    isakmp key Cisco2005 address CP_OFFICE_VPN netmask 255.255.255.255
    isakmp key Cisco2004 address Log_VPN netmask 255.255.255.255
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400


    The above configuration does not make two site-to-site VPN work.

    How ?

    Thank you
    Benson
     
    Benson, Apr 21, 2005
    #1
    1. Advertisements

  2. :I want to set up some site-to-site VPN in my PIX515E, but do not know
    :how to configure the VPN gateway, like this:

    :pIX506E ---- PIX515E ------PIX506E
    :Site A Site B Site C

    Are you trying to use Site B to cross-connect Site A and Site C?
    If so then you will need to have Site A and Site C connect to
    different interfaces on Site B.

    :The configure of PIX515E:

    :crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

    Try using sha instead of md5, for the transform set and for
    the isakmp policy.

    :crypto map CPOffice 1000 ipsec-isakmp
    :crypto map CPOffice 1000 match address Traffic_To_CPOffice
    :crypto map CPOffice 1000 set peer CP_OFFICE_VPN
    :crypto map CPOffice 1000 set transform-set strong

    If that is supposed to be on a different interface than the other one,
    then you need to apply this to an interface.
    If this is to be on the same interface as the other one, you must use
    the same crypto map name. You can only have one active crypto map
    per interface.
     
    Walter Roberson, Apr 21, 2005
    #2
    1. Advertisements

  3. Benson

    Benson Guest

    Hi, Roberson,

    Thank you very much for your help.

    What should I do, except using different interface Card, for
    establishing two site-to-site VPN in site B ?


    Benson
     
    Benson, Apr 22, 2005
    #3
  4. :What should I do, except using different interface Card, for
    :establishing two site-to-site VPN in site B ?

    You did not clarify whether the two connections were independant
    or whether you were trying to use site B as a hub to allow
    site A and site C to communicate with each other.

    If you are trying to use site B as a hub, then you have to
    use different physical or logical interfaces, or you have to
    have auxillary equipment, or you have to upgrade your 515E to
    PIX 7.0(1) (if you trust .1 releases...)
     
    Walter Roberson, Apr 23, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.