Pix with 2 ipsec tunnels

Discussion in 'Cisco' started by chackamakka, Jun 11, 2004.

  1. chackamakka

    chackamakka Guest

    Hello,

    I don't have so much expirience with cisco pix and now i need to
    configure a pix firewall who bields up 2 ipsec tunnels with 2
    branches. So I created a config but am not sure if it's correct. Can
    anyone have a look or does anyone have any suggestion?

    crypto ipsec transform-set ipsec_1-set esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 7200
    crypto map ipsec_1-map 10 ipsec-isakmp
    crypto map ipsec_1-map 10 match address ipsec_1
    crypto map ipsec_1-map 10 set peer <public peer ip address branch 1>
    crypto map ipsec_1-map 10 set transform-set ipsec_1-set
    crypto map ipsec_1-map interface outside
    crypto ipsec transform-set ipsec_2-set esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map ipsec_2-map 20 ipsec-isakmp
    crypto map ipsec_2-map 20 match address ipsec_2
    crypto map ipsec_2-map 20 set peer <public peer ip address branch 2>
    crypto map ipsec_2-map 20 set transform-set ipsec_2-set
    crypto map ipsec_2-map interface outside

    isakmp enable outside
    isakmp key <encryption key 1> address <public peer ip address branch
    1> netmask 255.255.255.255
    isakmp key <encryption key 2> address <public peer ip address branch
    2> netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    Or is it supposed to be:


    crypto ipsec transform-set ipsec_1-set esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 7200
    crypto map ipsec_1-map 10 ipsec-isakmp
    crypto map ipsec_1-map 10 match address ipsec_1
    crypto map ipsec_1-map 10 set peer <public peer ip address branch 1>
    crypto map ipsec_1-map 10 set transform-set ipsec_1-set
    crypto map ipsec_1-map interface outside

    crypto ipsec transform-set ipsec_2-set esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto map ipsec_2-map 10 ipsec-isakmp
    crypto map ipsec_2-map 10 match address ipsec_2
    crypto map ipsec_2-map 10 set peer <public peer ip address branch 2>
    crypto map ipsec_2-map 10 set transform-set ipsec_2-set
    crypto map ipsec_2-map interface outside

    isakmp enable outside
    isakmp key <encryption key 1> address <public peer ip address branch
    1> netmask 255.255.255.255
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    isakmp enable outside

    isakmp key <encryption key 2> address <public peer ip address branch
    2> netmask 255.255.255.255
    isakmp identity address
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    I left out the access-list and ... because this is the part I'm not
    sure about.
    Does anyone have any idea of what's correct or wrong?
    Thanks already!
    Chackamakka
     
    chackamakka, Jun 11, 2004
    #1
    1. Advertisements

  2. n article <>,
    crypto ipsec transform-set ipsec_1-set esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 7200
    crypto map ipsec_1-map 10 ipsec-isakmp
    crypto map ipsec_1-map 10 match address ipsec_1
    crypto map ipsec_1-map 10 set peer <public peer ip address branch 1>
    crypto map ipsec_1-map 10 set transform-set ipsec_1-set
    crypto map ipsec_1-map interface outside
    crypto ipsec security-association lifetime seconds 3600
    crypto map ipsec_1-map 20 ipsec-isakmp
    crypto map ipsec_1-map 20 match address ipsec_2
    crypto map ipsec_1-map 20 set peer <public peer ip address branch 2>
    crypto map ipsec_1-map 20 set transform-set ipsec_1-set


    isakmp enable outside
    isakmp key <encryption key 1> address <public peer ip address branch
    1> netmask 255.255.255.255 no-xauth no-config-mode
    isakmp key <encryption key 2> address <public peer ip address branch
    2> netmask 255.255.255.255 no-xauth no-config-mode
    isakmp identity address
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    remember a access-l for nonat which should contain both lines from
    ipsec_1 & ipsec_2 combined with nat (inside) 0 access-l nonat

    Best regards
    Henrik
    says...
     
    Henrik Christensen, Jun 11, 2004
    #2
    1. Advertisements

  3. chackamakka

    chackamakka Guest

    Hi,

    Thanks for the reaction.
    So i don't have to create a complete new isakmp policy 20 to make the
    second ipsec tunnel work?

    reg,
    Philippe
     
    chackamakka, Jun 14, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.