Adding tunnel to existing transport VPN configuration

Unanswered Question
Nov 19th, 2008
User Badges:

I've been checking steps on adding a vpn tunnel to an existing configuration and found this example on the wiki explaining IPSec between networks.


Do we follow similar steps when the case is host to host rather than network? Are there other steps related to step 3 and NAT? It isn't clear how the two access list entries work together.


My main concern is disrupting remote access during the testing, especially if this requires multiple changes.


existing pix 515 config file output:


sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mapname 10 ipsec-isakmp dynamic dynmap

crypto map mapname interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400


To add a new tunnel between my host and the remote host:

Peer ip address:- 68.180.206.184

Local host :- 209.85.171.99

Remote host :- 68.180.210.120


1. Remove the crypto map that exists off the outside interface.

no crypto map mapname interface outside


2. Create new crypto access-list with the source as the internal network of the PIX Firewall and the destinations as the remote network.

access-list 103 permit ip host 68.180.210.120 host 209.85.171.99


3. Create an identical access-list for Network Address Translation (NAT) 0 as crypto access-list for the NAT bypass.

access-list 102 permit ip host 68.180.210.120 host 209.85.171.99


4. Create a new crypto map with the same name, but with a different sequence number.

crypto map mapname 20 ipsec-isakmp

crypto map mapname 20 match address 103

crypto map mapname 20 set peer 68.180.206.184

crypto map mapname 20 set transform-set myset


5. Configure the ISAKMP policy preshare key.

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp key address 68.180.206.184 netmask 255.255.255.255


6. Bind the crypto map to the outside interface.

crypto map mapname interface outside


Ping the remote host to bring up the new tunnel.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion