Branch-to-branch VPN

Unanswered Question
May 24th, 2007
User Badges:

I'm trying to set up a branch office VPN. I'm using a PIX-506e, my peer is a PIX-515. I've attached my (sanitized) configuration, and there's an equivalent one in the 515.


Network setup:

BO1 Inside: 192.168.0.0

BO2 Inside: 130.45.14.0


We cannot establish a Security Association. We can, of course, ping each other's outside addresses.


Two initial questions:


1. Can someone see anything obviously wrong?

2. The command "clear isakmp sa" breaks any existing sas; is there a command that forces one PIX to attempt to form a SA with its peer?


Thanks in advance,

dpm




Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 05/24/2007 - 08:19
User Badges:
  • Green, 3000 points or more

First of all you do not need to have both of these statements in one pix.


Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0


You should have the first in B02 and the next in B01.


It is also recommended and good form to use separate acl's to define this traffic and the traffic defined by your nat (inside) 0 statement, even though it is the same. So I would change it to


B02

Nat (inside) 0 access-list cleanVPN_nat0

Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Access-list cleanVPN_nat0 permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Crypto map cleanVPNmap 88 match address cleanVPN


B01

Nat (inside) 0 access-list cleanVPN_nat0

Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

Access-list cleanVPN_nat0 permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

Crypto map cleanVPNmap 88 match address cleanVPN


Let me know how that goes.

ddidpm506 Thu, 05/24/2007 - 09:07
User Badges:

Thanks, I appreciate your help.


One question though: I think my problem is that the PIXs are/can not form a SA. I can see how the change you suggested would affect routing traffic through the tunnel once formed, but my problem is that I can't get a tunnel formed at all.


Is there a command to force one PIX to form a SA with a peer?


Thanks,

Dean


acomiskey Thu, 05/24/2007 - 09:15
User Badges:
  • Green, 3000 points or more

No, you must initiate traffic which matches the traffic defined in your crypto acl's.


try this and ensure it is the same on both ends...


no isakmp identity hostname

isakmp identity address

Actions

This Discussion