×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

HELP - Pix to Pix VPN on 2 interfaces

Unanswered Question
May 9th, 2006
User Badges:

Hi,

I am really stuck on this one. I want to configure a VPN between 3 pix 515 devices. PixA will connect to PixB and PixC, but pixB and PixC will not connect directly.


I have successfully created the VPN between PixA and PixB. I am now trying to configure PixA to connect to PixC on another interface (ethernet2), and the ISAKMP phase 2 is failing with a "SA NOT ACCEPTABLE" error. I relaxed my acl to accept any ip, but am no farther ahead.


Questions:

Can I use the same ACL for both tunnels?

That is what I am trying to do...


Can I simply create a new map and apply it to ethernet2, and use the same isakmp policy?



Here is the crypto / isakmp configs. Again, PixA to PixB works. PixA to PixC does not.


PixA:

ip address outside xxx.yyy.6.19 255.255.255.248

ip address inside 192.168.3.5 255.255.255.0

ip address outside2 aaa.bbb.80.80 255.255.255.0

...

access-list 101 permit ip any any

access-list outside_access_in permit ip any 192.168.3.0 255.255.255.0

access-list outside_access_in permit ip any aaa.bbb.80.0 255.255.255.0

...

access-group outside_access_in in interface outside

access-group outside_access_in in interface outside2

...

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac

crypto map map1 1 ipsec-isakmp

crypto map map1 1 match address 101

crypto map map1 1 set peer xxx.yyy.6.20

crypto map map1 1 set transform-set strong

crypto map map1 interface outside

crypto map map2 1 ipsec-isakmp

crypto map map2 1 match address 101

crypto map map2 1 set peer aaa.bbb.80.90

crypto map map2 1 set transform-set strong

crypto map map2 interface outside2

isakmp enable outside

isakmp enable outside2

isakmp key ******** address xxx.yyy.6.20 netmask 255.255.255.255

isakmp key ******** address aaa.bbb.80.90 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash md5

isakmp policy 1 group 5

isakmp policy 1 lifetime 86400



PixB:

...

access-list 101 permit ip any any

access-list outside_access_in permit ip any host 192.168.1.0

access-group outside_access_in in interface outside

...

ip address outside xxx.yyy.6.20 255.255.255.0

ip address inside 192.168.1.17 255.255.255.252

...

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac

crypto map map1 1 ipsec-isakmp

crypto map map1 1 match address 101

crypto map map1 1 set peer xxx.yyy.6.19

crypto map map1 1 set transform-set strong

crypto map map1 interface outside

isakmp enable outside

isakmp key ******** address xxx.yyy.6.19 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash md5

isakmp policy 1 group 5

isakmp policy 1 lifetime 86400


PixC:

...

ip address outside aaa.bbb.80.90 255.255.255.0

ip address inside 10.10.10.17 255.255.255.252

...

access-list 101 permit ip any any

access-list outside_access_in permit ip any host 10.10.10.0

access-group outside_access_in in interface outside

...

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac

crypto map map1 1 ipsec-isakmp

crypto map map1 1 match address 101

crypto map map1 1 set peer aaa.bbb.80.80

crypto map map1 1 set transform-set strong

isakmp enable outside

isakmp key ******** address aaa.bbb.80.80 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash md5

isakmp policy 1 group 5

isakmp policy 1 lifetime 86400


I would really appreciate any help you may offer.


P.O

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dmease Thu, 05/11/2006 - 01:48
User Badges:

You cant use the same access list for two different tunnels. When the packet gets to the PIX, how will it know which tunnel to go down?

Are the networks the same at site B and C? What are you trying to achieve?

Actions

This Discussion