Branch-to-branch VPN

Unanswered Question
May 24th, 2007

I'm trying to set up a branch office VPN. I'm using a PIX-506e, my peer is a PIX-515. I've attached my (sanitized) configuration, and there's an equivalent one in the 515.

Network setup:

BO1 Inside: 192.168.0.0

BO2 Inside: 130.45.14.0

We cannot establish a Security Association. We can, of course, ping each other's outside addresses.

Two initial questions:

1. Can someone see anything obviously wrong?

2. The command "clear isakmp sa" breaks any existing sas; is there a command that forces one PIX to attempt to form a SA with its peer?

Thanks in advance,

dpm

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 05/24/2007 - 08:19

First of all you do not need to have both of these statements in one pix.

Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

You should have the first in B02 and the next in B01.

It is also recommended and good form to use separate acl's to define this traffic and the traffic defined by your nat (inside) 0 statement, even though it is the same. So I would change it to

B02

Nat (inside) 0 access-list cleanVPN_nat0

Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Access-list cleanVPN_nat0 permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Crypto map cleanVPNmap 88 match address cleanVPN

B01

Nat (inside) 0 access-list cleanVPN_nat0

Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

Access-list cleanVPN_nat0 permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

Crypto map cleanVPNmap 88 match address cleanVPN

Let me know how that goes.

ddidpm506 Thu, 05/24/2007 - 09:07

Thanks, I appreciate your help.

One question though: I think my problem is that the PIXs are/can not form a SA. I can see how the change you suggested would affect routing traffic through the tunnel once formed, but my problem is that I can't get a tunnel formed at all.

Is there a command to force one PIX to form a SA with a peer?

Thanks,

Dean

acomiskey Thu, 05/24/2007 - 09:15

No, you must initiate traffic which matches the traffic defined in your crypto acl's.

try this and ensure it is the same on both ends...

no isakmp identity hostname

isakmp identity address

Actions

This Discussion