1. Home
  2. Cisco Systems
  3. Multiple IPsec VPNs between PIX

Multiple IPsec VPNs between PIX

Hey all, I could really use some help. I have a head office and branch office, both with a PIX. We set up an IPSEC VPN between them like so:

PIX at HQ: access-list no_NAT ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.0 access-list to_branch1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 no_NAT

sysopt connection permit-ipsec

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac crypto map MYMAP 100 ipsec-isakmp crypto map MYMAP 100 match address to_branch1 crypto map MYMAP 100 set peer 222.222.222.222 crypto map MYMAP 100 set transform-set MYSET crypto map MYMAP interface outside

isakmp key MYKEY address 222.222.222.222 netmask 255.255.255.240 isakmp enable outside isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 50000

PIX at Branch: access-list no_NAT ip 192.168.2.0 255.255.255.0 192.168.1.0

255.255.255.0 access-list to_HQ permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 no_NAT

sysopt connection permit-ipsec

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac crypto map MYMAP 100 ipsec-isakmp crypto map MYMAP 100 match address to_HQ crypto map MYMAP 100 set peer 111.111.111.111 crypto map MYMAP 100 set transform-set MYSET crypto map MYMAP interface outside

isakmp key MYKEY address 111.111.111.111 netmask 255.255.255.240 isakmp enable outside isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 50000

All of this has worked fine for months.

We just opened a new branch office, branch2, and I want to set up the IPSEC VPN Tunnels between branch1 and branch2.

the PIX at branch2 is configured as follows: access-list no_NAT ip 192.168.3.0 255.255.255.0 192.168.2.0

255.255.255.0 access-list to_branch1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0

nat (inside) 0 no_NAT

sysopt connection permit-ipsec

crypto ipsec transform-set MYSET esp-3des esp-md5-hmac crypto map MYMAP 200 ipsec-isakmp crypto map MYMAP 200 match address to_branch1 crypto map MYMAP 200 set peer 222.222.222.222 crypto map MYMAP 200 set transform-set MYSET crypto map MYMAP interface outside

isakmp key INTERBRANCHKEY address 222.222.222.222 netmask

255.255.255.240 isakmp enable outside isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 50000

Now here's my problem... In order to bring up the VPN between branch1 and branch2, I added the following to the PIX at branch1:

access-list no_NAT ip 192.168.2.0 255.255.255.0 192.168.3.0

255.255.255.0 access-list to_branch2 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0

crypto map MYMAP 200 ipsec-isakmp crypto map MYMAP 200 match address to_branch2 crypto map MYMAP 200 set peer 333.333.333.333 (I know there is no such addr...) crypto map MYMAP 200 set transform-set MYSET

isakmp key INTERBRANCHKEY address 333.333.333.333 netmask

255.255.255.240

... and nothing. I cant ping anything in bracnh2 from inside branch1, nor vice versa. My addresses are all OK. My preshared key is the same on both, my access-lists are ok... what am I not getting? Can anyone tell me if I messed something? Do the PIXes need to be rebooted? Is some other parameter required to be reset? Thanks for your help.

Al

Reply to
Al
Loading thread data ...

OK... I did some more reading - and I found the answer: When modifying a crypto map, it should be done in this order:

  1. input the command "no crypto map MYMAP interface outside"

  1. make your changes to your crypto map

  2. input the command "crypto map MYMAP interface outside"

It seems that the interface needs to be "re-mapped" to the crypto map for the new changes to take effect.

BTW, I also tried the above steps in the following order: 2, 1, 3. This also worked.

Reply to
Al

That's not actually necessary for PIX 6, but you do need to "clear ipsec sa". Removing the crypto map from the interface would have the side effect of clearing the SA's.

Reply to
Walter Roberson

Do I understand correctly then that "clear ipsec sa" would "reset" the VPN tunnel and automatically restart it with the new changes?

Also, when I did "no crypto map...", BOTH VPN tunnels were torn down and rebuilt. Is there a way I can do this so that only the tunnel I made changes to is torn down and reset?

Thanks

Reply to
Al

Yes.

No, if you "no crypto map", it is going to tear down all the tunnels on that interface. You could remove individual crypto map policies, but (in PIX 6 at least) there could still be hold-overs not cleaned up. "clear ipsec sa" gets rid of the holdovers. There are ways to clear specific SAs, but I keep forgetting them (and I haven't worked on a PIX for over a year now.)

Reply to
Walter Roberson

One last question Walter,

I've read several times that making changes to a crypto map without removing the crypto map from the outside interface first can cause the PIX to lock up, or at least, stop passing any traffic at all. This is why I did the no crypto map first. As far as you know, is this a valid concern? Or is this not applicable to IOS 6.x. Thanks again.

Reply to
Al

I have not heard that, but it could be that it is true.

When I was writing my configuration generator, I did manipulate crypto maps, but that was for a different reason. My configuration generator had to produce a configuration that could be pushed in over a VPN link, and naturally if you munge your active crypto ACLs you end up munging the VPN doing the update right out from underneath you, cutting off the tftp copy. The mechanism that reduces this risk to the smallest possible window is to construct complete new ACLs (with different names) and a complete new crypto map (with a different names), and then enable the new crypto map on the interface (and do this as late in the configuration as possible). This results in the entire crypto infrastructure being updated simultaneously (but, alas, not instantaneously), so you are never left with an inconsistant state. You -might- lose communications at that point, but because the complete new crypto infrastructure ins in place, you can regain communications.

(My configuration generator went further than that; after enabling the new crypto infrastructure under the new names, it would proceed to tear down the old names, then it would rebuild the old names with the new content, and then would enable the old crypto map name on the interface. As this is now just a rename with identical contents, I never lost communication at this point. Then the configuration generator tore down the temporary names. By doing things this way, downtime on the link are minimized, the risks associated with downtime on the link are minimized (can always get communications back), and because the configuration is left with well known names, the configuration generator does not have to guess or probe to find out the names currently in use.)

Reply to
Walter Roberson

Thanks for your help and insight. much appreciated.

Reply to
Al

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.