Hey all, I could really use some help. I have a head office and branch office, both with a PIX. We set up an IPSEC VPN between them like so:
PIX at HQ: access-list no_NAT ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0 access-list to_branch1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0nat (inside) 0 no_NAT
sysopt connection permit-ipsec
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac crypto map MYMAP 100 ipsec-isakmp crypto map MYMAP 100 match address to_branch1 crypto map MYMAP 100 set peer 222.222.222.222 crypto map MYMAP 100 set transform-set MYSET crypto map MYMAP interface outside
isakmp key MYKEY address 222.222.222.222 netmask 255.255.255.240 isakmp enable outside isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 50000
PIX at Branch: access-list no_NAT ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0 access-list to_HQ permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0nat (inside) 0 no_NAT
sysopt connection permit-ipsec
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac crypto map MYMAP 100 ipsec-isakmp crypto map MYMAP 100 match address to_HQ crypto map MYMAP 100 set peer 111.111.111.111 crypto map MYMAP 100 set transform-set MYSET crypto map MYMAP interface outside
isakmp key MYKEY address 111.111.111.111 netmask 255.255.255.240 isakmp enable outside isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 50000
All of this has worked fine for months.
We just opened a new branch office, branch2, and I want to set up the IPSEC VPN Tunnels between branch1 and branch2.
the PIX at branch2 is configured as follows: access-list no_NAT ip 192.168.3.0 255.255.255.0 192.168.2.0
255.255.255.0 access-list to_branch1 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0nat (inside) 0 no_NAT
sysopt connection permit-ipsec
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac crypto map MYMAP 200 ipsec-isakmp crypto map MYMAP 200 match address to_branch1 crypto map MYMAP 200 set peer 222.222.222.222 crypto map MYMAP 200 set transform-set MYSET crypto map MYMAP interface outside
isakmp key INTERBRANCHKEY address 222.222.222.222 netmask
255.255.255.240 isakmp enable outside isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash md5 isakmp policy 1 group 1 isakmp policy 1 lifetime 50000Now here's my problem... In order to bring up the VPN between branch1 and branch2, I added the following to the PIX at branch1:
access-list no_NAT ip 192.168.2.0 255.255.255.0 192.168.3.0
255.255.255.0 access-list to_branch2 permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0crypto map MYMAP 200 ipsec-isakmp crypto map MYMAP 200 match address to_branch2 crypto map MYMAP 200 set peer 333.333.333.333 (I know there is no such addr...) crypto map MYMAP 200 set transform-set MYSET
isakmp key INTERBRANCHKEY address 333.333.333.333 netmask
255.255.255.240... and nothing. I cant ping anything in bracnh2 from inside branch1, nor vice versa. My addresses are all OK. My preshared key is the same on both, my access-lists are ok... what am I not getting? Can anyone tell me if I messed something? Do the PIXes need to be rebooted? Is some other parameter required to be reset? Thanks for your help.
Al