1. Home
  2. Cisco Systems
  3. How to add a second IPSEC tunnel to my PIX515

How to add a second IPSEC tunnel to my PIX515

Hello Everybody,

As I'm not so skilled in adding VPN tunnels, could anybody give me some help understanding my configuration.

I already have a ipsec tunnel working with a site (let's name it SITEA)

In my config i have:

... access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host sitea_private_adress access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host sitea_private_adress access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host sitea_private_adress access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host sitea_private_adress ... nat (inside) 0 access-list acl-nonat ... crypto ipsec transform-set t_sitea esp-3des esp-md5-hmac ... crypto map vpn-all 3 match address acl-sitea crypto map vpn-all 3 set peer sitea_public_adress crypto map vpn-all 3 set transform-set t_sitea crypto map vpn-all interface outside ... crypto isakmp enable outside ... crypto isakmp policy 3 authentication pre-share encryption 3des hash md5 group 2 lifetime 600 ... crypto isakmp nat-traversal 20 ... tunnel-group sitea_public_adress type ipsec-l2l tunnel-group sitea_public_adress ipsec-attributes pre-shared-key * ...

This config works fine at this moment.

Now i have to add a second tunnel to an other site, say SITEB.

I'll have to add the access-lists:

access-list acl-sitea extended permit ip 10.159.1.0 255.255.255.0 host siteb_private_adress access-list acl-sitea extended permit ip 10.159.10.0 255.255.255.0 host siteb_private_adress access-list acl-nonat extended permit ip 10.159.1.0 255.255.255.0 host siteb_private_adress access-list acl-nonat extended permit ip 10.159.10.0 255.255.255.0 host siteb_private_adress

and then the transform set of this site, in this case:

crypto ipsec transform-set t_siteb esp-3des esp-sha-hmac

and now i have trouble with the crypto map... Do i enter:

crypto map vpn-all 4 ... or crypto map vpn_b 3

I do not realy know if i have to take the same name and change the number, or if i have to change the name for a seconf tunnel ? Can somebody tell me ?

Also, about the policy, is there a link between the policy 3 in my exemple, and number 3 in my crypto map config ? If not, how is the link done between SITEA config, and the pocily used as this moment ?

If SITEB gives me a other policy, how can i do the link between policy (says

4), and the crypto map config ?

Thanks a lot for your advise.

Best regards,

Johan

Reply to
Johan Beghein
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.