how to config more than one site-to-site VPN in my PIX515E

Hi,

I want to set up some site-to-site VPN in my PIX515E, but do not know how to configure the VPN gateway, like this:

PIX506E ---- PIX515E ------PIX506E Site A Site B Site C

The configurations of Site A & Site C are simple; but I do not know how to configure the PIX515E of Site B;

The configure of PIX515E:

crypto ipsec transform-set strong esp-3des esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map CPOffice 1000 ipsec-isakmp crypto map CPOffice 1000 match address Traffic_To_CPOffice crypto map CPOffice 1000 set peer CP_OFFICE_VPN crypto map CPOffice 1000 set transform-set strong crypto map LNet 1001 ipsec-isakmp crypto map LNet 1001 match address log_Traf_ToTunnel crypto map LNet 1001 set peer Log_Net_VPN crypto map LNet 1001 set transform-set ESP-3DES-MD5 crypto map LNet interface outside isakmp enable outside isakmp key Cisco2005 address CP_OFFICE_VPN netmask 255.255.255.255 isakmp key Cisco2004 address Log_VPN netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

The above configuration does not make two site-to-site VPN work.

How ?

Thank you Benson

Reply to
Benson
Loading thread data ...

In article , Benson wrote: :I want to set up some site-to-site VPN in my PIX515E, but do not know :how to configure the VPN gateway, like this:

:PIX506E ---- PIX515E ------PIX506E :Site A Site B Site C

Are you trying to use Site B to cross-connect Site A and Site C? If so then you will need to have Site A and Site C connect to different interfaces on Site B.

:The configure of PIX515E:

:crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

Try using sha instead of md5, for the transform set and for the isakmp policy.

:crypto map CPOffice 1000 ipsec-isakmp :crypto map CPOffice 1000 match address Traffic_To_CPOffice :crypto map CPOffice 1000 set peer CP_OFFICE_VPN :crypto map CPOffice 1000 set transform-set strong

If that is supposed to be on a different interface than the other one, then you need to apply this to an interface.

If this is to be on the same interface as the other one, you must use the same crypto map name. You can only have one active crypto map per interface.

Reply to
Walter Roberson

Hi, Roberson,

Thank you very much for your help.

What should I do, except using different interface Card, for establishing two site-to-site VPN in site B ?

Benson

Reply to
Benson

In article , Benson wrote: :What should I do, except using different interface Card, for :establishing two site-to-site VPN in site B ?

You did not clarify whether the two connections were independant or whether you were trying to use site B as a hub to allow site A and site C to communicate with each other.

If you are trying to use site B as a hub, then you have to use different physical or logical interfaces, or you have to have auxillary equipment, or you have to upgrade your 515E to PIX 7.0(1) (if you trust .1 releases...)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.