site-to-site VPN

I have this schema:

CompanyA CompanyB CompanyC inIP:192.168.2.0 192.168.1.0 192.168.10.0 exIP:aaa.bbb.107.96 xxx.yyy.97.34/28 aaa.bbb.97.50/29

I need to configure site tosite VPN between companyB and CompanyC is working fine but I can't get site to site VPN between CompanyA and CompanyB working. Every site also has configured VPN for remote users working fine.

I spent lots of time researching whats wrong but I cant figure out.

If someone has some time to review my configs I'll appreciate the help.

I'll be glad also if you give me some advise how to troubleshoot this.

Thanks,

CompanyB: access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.255.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0 access-list bypassingnat permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list CompanyC permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list out_in permit tcp any host xxx.yyy.97.35 eq smtp access-list out_in permit tcp any host xxx.yyy.97.35 eq www access-list out_in permit tcp any host xxx.yyy.97.35 eq https access-list out_in permit tcp any host xxx.yyy.97.35 eq domain access-list CompanyA permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 ip address outside xxx.yyy.97.34 255.255.255.240 ip address inside 192.168.1.5 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 192.168.6.210-192.168.6.220 pdm history enable arp timeout 14400 global (outside) 1 xxx.yyy.97.43 nat (inside) 0 access-list bypassingnat nat (inside) 1 172.16.100.0 255.255.255.0 0 0 nat (inside) 1 192.168.1.0 255.255.255.0 0 0 access-group out_in in interface outside route outside 0.0.0.0 0.0.0.0 xxx.yyy.97.33 1 route inside 172.16.100.0 255.255.255.0 192.168.1.1 1 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp crypto map newmap 20 match address CompanyC crypto map newmap 20 set peer xxx.yyy.97.50 crypto map newmap 20 set transform-set myset crypto map newmap 25 ipsec-isakmp crypto map newmap 25 match address CompanyA crypto map newmap 25 set peer aaa.bbb.107.96 crypto map newmap 25 set transform-set myset crypto map newmap 30 ipsec-isakmp dynamic dynmap crypto map newmap interface outside isakmp enable outside isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255 isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 14400 isakmp policy 15 authentication pre-share isakmp policy 15 encryption des isakmp policy 15 hash md5 isakmp policy 15 group 2 isakmp policy 15 lifetime 14400 vpngroup CHerndon address-pool clientpool vpngroup CHerndon dns-server 192.168.1.10 vpngroup CHerndon wins-server 192.168.1.10 vpngroup CHerndon default-domain CompanyB.com vpngroup CHerndon split-tunnel bypassingnat vpngroup CHerndon idle-time 1800 vpngroup CHerndon password ********

CompanyA: access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0

255.255.255.0 access-list out_inside permit tcp any host aaa.bbb.107.99 eq www access-list out_inside permit tcp any host aaa.bbb.107.99 eq 443 access-list out_inside permit tcp any host aaa.bbb.107.99 eq domain access-list out_inside permit tcp any host aaa.bbb.107.99 eq smtp access-list in_out permit tcp host 192.168.2.11 any eq smtp access-list in_out deny tcp any any eq smtp access-list in_out permit ip any any access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list bypassingnat permit ip 192.168.2.0 255.255.255.0 10.1.1.0 255.255.255.0 access-list bypassingnat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ip address outside aaa.bbb.107.96 255.255.252.0 ip address inside 192.168.2.2 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool clientpool 10.1.1.10-10.1.1.36 pdm history enable arp timeout 14400 global (outside) 1 aaa.bbb.107.103 netmask 255.255.255.0 nat (inside) 0 access-list bypassingnat nat (inside) 1 192.168.2.0 255.255.255.0 0 0 access-group out_inside in interface outside access-group in_out in interface inside route outside 0.0.0.0 0.0.0.0 aaa.bbb.104.1 1 sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 20 set transform-set myset crypto map newmap 10 ipsec-isakmp crypto map newmap 10 match address CompanyB crypto map newmap 10 set peer xxx.yyy.97.34 crypto map newmap 10 set transform-set myset crypto map newmap 20 ipsec-isakmp dynamic dynmap crypto map newmap interface outside crypto map vpngroup client authentication TACACS+ isakmp enable outside isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup svinzant address-pool clientpool vpngroup svinzant dns-server 192.168.2.10 vpngroup svinzant wins-server 192.168.2.10 vpngroup svinzant default-domain companyA.com vpngroup svinzant split-tunnel vpnacl vpngroup svinzant idle-time 1800 vpngroup svinzant password ********

CompanyC: access-list acl_outside permit icmp any any echo-reply access-list acl_inside permit ip any any access-list 101 permit ip 192.168.11.0 255.255.255.0 10.10.8.16

255.255.255.240 access-list 103 permit ip 192.168.10.0 255.255.255.0 10.10.8.32 255.255.255.240 access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.16 255.255.255.240 access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.32 255.255.255.240 access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list CompanyB permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 ip address outside xxx.yyy.97.50 255.255.255.248 ip address inside 10.10.8.1 255.255.255.0 ip local pool eespool 10.10.8.17-10.10.8.30 ip local pool localpool 10.10.8.33-10.10.8.46 global (outside) 1 interface nat (inside) 0 access-list 100 nat (inside) 1 192.168.10.0 255.255.255.0 0 0 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 static (inside,outside) xxx.yyy.97.53 192.168.10.20 netmask 255.255.255.255 0 0 access-group acl_outside in interface outside access-group acl_inside in interface inside conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 10.10.1.1 1 route inside 192.168.10.0 255.255.255.0 10.10.8.2 1 route inside 192.168.11.0 255.255.255.0 10.10.8.2 1 sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set myset esp-des esp-md5-hmac crypto ipsec transform-set des esp-des esp-md5-hmac crypto dynamic-map cisco 4 set transform-set des crypto map partner-map 15 ipsec-isakmp crypto map partner-map 15 match address CompanyB crypto map partner-map 15 set peer xxx.yyy.97.34 crypto map partner-map 15 set transform-set myset crypto map partner-map 20 ipsec-isakmp dynamic cisco crypto map partner-map interface outside isakmp enable outside isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255 isakmp identity address isakmp policy 8 authentication pre-share isakmp policy 8 encryption des isakmp policy 8 hash md5 isakmp policy 8 group 2 isakmp policy 8 lifetime 28800 isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 28800 vpngroup eeshome address-pool eespool vpngroup eeshome dns-server 12.127.16.68 vpngroup eeshome wins-server 192.168.10.20 vpngroup eeshome default-domain CompanyB.com vpngroup eeshome split-tunnel 101 vpngroup eeshome idle-time 1800 vpngroup eeshome password ********
Reply to
Exclusive
Loading thread data ...

You may wish to investigate the Cisco Site-to-Site VPN Config Wizard:

formatting link
Sincerely,

Brad Reese

formatting link

Reply to
www.BradReese.Com

I try also:

isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255 no-xauth no-config-mode isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255 no-xauth no-config-mode

but it doesnt work either.

Reply to
Exclusive

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.