Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
6
Replies

IPSec tunnel between site to site

Lavanholy
Level 1
Level 1

‎06-02-2008 04:05 AM - edited ‎03-11-2019 05:53 AM

Hi,

I have PIX515E configured and working fine.It has the Site-Site IPSec (Main site A to Site B and Site A to Site C)configuration and it is working fine also.Now the customer want another Site - Site IPSec between site A to site D.

When I create this IPsec site - site configuration,the previous Site to site IP sec tullec is getting disabled.

Can any of you help me to configure Main site to multiple site IP Sec tunnel.

Thanks and Regards,

S.Venkataraman.

Labels:
0 Helpful
6 Replies 6

andrew.prince
Level 10
Level 10

‎06-02-2008 04:12 AM

Venkat,

Post the current configuration - sanitised of course.

0 Helpful

tj.mitchell
Level 4
Level 4
In response to andrew.prince

‎06-02-2008 08:49 AM

Sounds like you are using two different crypto maps. Then enabling the new crypto map on the outside interface, thus disabling the existing tunnels.

Please post the configs, but this is what is sounds likes you are doing.

HTH..

pls rate if this is helpful

0 Helpful

Lavanholy
Level 1
Level 1
In response to tj.mitchell

‎06-05-2008 01:26 AM

Using Cisco PIX515E Site to multiple site IP Sec VPN tunnel

See the attachment.

Thanks and Regards,

S.Venkataraman.

Preview file
132 KB
0 Helpful

Lavanholy
Level 1
Level 1
In response to andrew.prince

‎06-05-2008 01:29 AM

Please see the attachment.

Guide me to configure Site to Multiple site IPsec VPN tunnel using Cisco PIX515E

Thanks and Regards,

S.Lavan

Preview file
132 KB
0 Helpful

andrew.prince
Level 10
Level 10
In response to Lavanholy

‎06-05-2008 01:52 AM

The problem could be with the interesting traffic acl for the crypto map 40

check to see if the access list is getting any hits?

0 Helpful

Fernando_Meza
Level 7
Level 7
In response to Lavanholy

‎06-05-2008 02:26 AM

Hi ...

assuming that your internal network is 172.16.30.0 and the other site is named Remote-Site .. then the below configuration should get your third tunnel working.

** Traffic to be tunneled

access-list crypto_map_60 extended permit ip 172.16.30.0 255.255.255.0 Remote-Site 255.255.255.0

** Bypassed NAT for traffic to be tunneled

access-list inside_nat0_outbound_1 extended permit ip 172.16.30.0 255.255.255.0 Remote-Site 255.255.255.0

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l where xxx.xxx.xxx.xxx (the IP address of the other VPN termination Device)

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key your-key <- same on other site

***** isakmp phase 1 ******

crypto isakmp policy 60

authentication pre-share

encryption 3des <- same on other site

hash md5 <- same on other site

group 2 <- same on other site

lifetime 7200 <- same on other site

***** isakmp phase 2 *****

crypto map outside_map 60 match address crypto_map_60

crypto map outside_map 60 set peer xxx.xxx.xxx.xxx <-IP address of the other VPN termination device

crypto map outside_map 60 set transform-set ESP-3DES-MD5 <- same on other site

You might need to re-apply the crypto map again ..

**** re-apply the crypto map to the outside interface

no crypto map outside_map interface outside

crypto map outside_map interface outside

NOTE: is it VERY IMPORTANT that The remote device have the same parameters for phase 1 and 2. the same pre-shared key, the same traffic to be tunneled.

hope it helps .. please rate it if it does

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card