Multiple Site-to-site VPNs

- C
- CeykoVer
  
  Contact options for registered users
posted
16 years ago

Fri, Nov 16, 2007 4:13 AM

Greetings, I recently tried to get multiple site to site off one PIX ver 6.3 working. (Other sites are pix 6.3 as well) It LOOKED like ISAKMP was trying, but never actually worked. I want to be sure I'm configuring everyhting properly. Basically site A needs a connection to site B and C - each have different networks that need to be tunneled.

I verified isakmp keys were identical, proper peer addresses, nat0, connectivity. I just can't figure out why only Site A to B would come up and site A to C would not. I have another post about what I tried after this that failed as well. I perplexed, even though I know there has to be something small/minor wrong. Any ideas will be greatly appreciated.

Assume... Site A is 172.20.8.0 /24 Site B is 172.20.0.0 /24 Site C is 172.20.16.0 /24 (In RL it is completely jacked up)

Below are the basic configs that I tried...

Site A access-list outside_crypto_map_13 permit ip 172.20.8.0 255.255.255.0

172.20.0.0 255.255.255.0 access-list outside_crypto_map_14 permit ip 172.20.8.0 255.255.255.0 172.20.16.0 255.255.255.0 !Is this sort of thing valid? Just want it to not translate from that source to anything access-list nonat permit ip 172.20.8.0 255.255.255.0 172.16.0.0 255.255.240.0 sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 13 ipsec-isakmp crypto map outside_map 13 match address outside_crypto_map_13 crypto map outside_map 13 set pfs group2 crypto map outside_map 13 set peer 1.1.1.1 crypto map outside_map 13 set transform-set ESP-3DES-SHA crypto map outside_map 14 ipsec-isakmp crypto map outside_map 14 match address outside_crypto_map_14 crypto map outside_map 14 set pfs group2 crypto map outside_map 14 set peer 2.2.2.2 crypto map outside_map 14 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

Site B access-list outside_crypto_map_11 permit ip 172.20.0.0 255.255.255.0

172.20.8.0 255.255.255.0 access-list nonat permit ip 172.20.0.0 255.255.255.0 172.20.8.0 255.255.255.0 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 11 ipsec-isakmp crypto map outside_map 11 match address outside_crypto_map_11 crypto map outside_map 11 set pfs group2 crypto map outside_map 11 set peer 3.3.3.3 crypto map outside_map 11 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 3.3.3.3 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

Site C access-list outside_crypto_map_13 permit ip 172.20.16.0 255.255.255.0

172.20.8.0 255.255.255.0 access-list nonat permit ip 172.20.16.0 255.255.255.0 172.16.0.0 255.255.240.0 crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map outside_map 13 ipsec-isakmp crypto map outside_map 13 match address outside_crypto_map_13 crypto map outside_map 13 set pfs group2 crypto map outside_map 13 set peer 3.3.3.3 crypto map outside_map 13 set transform-set ESP-3DES-SHA crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 3.3.3.3 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

- C
- Chino
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Fri, Nov 16, 2007 7:31 PM

You better post a complete debug session, using "debug crypto isakmp" then trying to bring the VPN up.

"CeykoVer" ha scritto nel messaggio news:VN8%i.17320$Vp3.14397@trnddc05...

- C
- CeykoVer
  
  Contact options for registered users
Vote on answer
posted
16 years ago

Fri, Nov 16, 2007 8:42 PM

When I did that during implementaation I was not able to find anything in the logs with the peer address. I'll try again next time we give this a shot. Thank you for the posting up.

Take care