IPSec tunnel between site to site

Unanswered Question
Jun 2nd, 2008
User Badges:

Hi,


I have PIX515E configured and working fine.It has the Site-Site IPSec (Main site A to Site B and Site A to Site C)configuration and it is working fine also.Now the customer want another Site - Site IPSec between site A to site D.


When I create this IPsec site - site configuration,the previous Site to site IP sec tullec is getting disabled.


Can any of you help me to configure Main site to multiple site IP Sec tunnel.


Thanks and Regards,


S.Venkataraman.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tj.mitchell Mon, 06/02/2008 - 08:49
User Badges:
  • Bronze, 100 points or more

Sounds like you are using two different crypto maps. Then enabling the new crypto map on the outside interface, thus disabling the existing tunnels.

Please post the configs, but this is what is sounds likes you are doing.


HTH..


pls rate if this is helpful

Fernando_Meza Thu, 06/05/2008 - 02:26
User Badges:
  • Gold, 750 points or more

Hi ...


assuming that your internal network is 172.16.30.0 and the other site is named Remote-Site .. then the below configuration should get your third tunnel working.



** Traffic to be tunneled

access-list crypto_map_60 extended permit ip 172.16.30.0 255.255.255.0 Remote-Site 255.255.255.0


** Bypassed NAT for traffic to be tunneled

access-list inside_nat0_outbound_1 extended permit ip 172.16.30.0 255.255.255.0 Remote-Site 255.255.255.0



tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l where xxx.xxx.xxx.xxx (the IP address of the other VPN termination Device)

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key your-key <- same on other site




***** isakmp phase 1 ******

crypto isakmp policy 60

authentication pre-share

encryption 3des <- same on other site

hash md5 <- same on other site

group 2 <- same on other site

lifetime 7200 <- same on other site



***** isakmp phase 2 *****

crypto map outside_map 60 match address crypto_map_60

crypto map outside_map 60 set peer xxx.xxx.xxx.xxx <-IP address of the other VPN termination device

crypto map outside_map 60 set transform-set ESP-3DES-MD5 <- same on other site


You might need to re-apply the crypto map again ..



**** re-apply the crypto map to the outside interface

no crypto map outside_map interface outside

crypto map outside_map interface outside


NOTE: is it VERY IMPORTANT that The remote device have the same parameters for phase 1 and 2. the same pre-shared key, the same traffic to be tunneled.


hope it helps .. please rate it if it does





Actions

This Discussion