Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec tunnel between site to site

Hi,

I have PIX515E configured and working fine.It has the Site-Site IPSec (Main site A to Site B and Site A to Site C)configuration and it is working fine also.Now the customer want another Site - Site IPSec between site A to site D.

When I create this IPsec site - site configuration,the previous Site to site IP sec tullec is getting disabled.

Can any of you help me to configure Main site to multiple site IP Sec tunnel.

Thanks and Regards,

S.Venkataraman.

6 REPLIES

Re: IPSec tunnel between site to site

Venkat,

Post the current configuration - sanitised of course.

Bronze

Re: IPSec tunnel between site to site

Sounds like you are using two different crypto maps. Then enabling the new crypto map on the outside interface, thus disabling the existing tunnels.

Please post the configs, but this is what is sounds likes you are doing.

HTH..

pls rate if this is helpful

New Member

Re: IPSec tunnel between site to site

Using Cisco PIX515E Site to multiple site IP Sec VPN tunnel

See the attachment.

Thanks and Regards,

S.Venkataraman.

New Member

Re: IPSec tunnel between site to site

Please see the attachment.

Guide me to configure Site to Multiple site IPsec VPN tunnel using Cisco PIX515E

Thanks and Regards,

S.Lavan

Re: IPSec tunnel between site to site

The problem could be with the interesting traffic acl for the crypto map 40

check to see if the access list is getting any hits?

Re: IPSec tunnel between site to site

Hi ...

assuming that your internal network is 172.16.30.0 and the other site is named Remote-Site .. then the below configuration should get your third tunnel working.

** Traffic to be tunneled

access-list crypto_map_60 extended permit ip 172.16.30.0 255.255.255.0 Remote-Site 255.255.255.0

** Bypassed NAT for traffic to be tunneled

access-list inside_nat0_outbound_1 extended permit ip 172.16.30.0 255.255.255.0 Remote-Site 255.255.255.0

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l where xxx.xxx.xxx.xxx (the IP address of the other VPN termination Device)

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes

pre-shared-key your-key <- same on other site

***** isakmp phase 1 ******

crypto isakmp policy 60

authentication pre-share

encryption 3des <- same on other site

hash md5 <- same on other site

group 2 <- same on other site

lifetime 7200 <- same on other site

***** isakmp phase 2 *****

crypto map outside_map 60 match address crypto_map_60

crypto map outside_map 60 set peer xxx.xxx.xxx.xxx <-IP address of the other VPN termination device

crypto map outside_map 60 set transform-set ESP-3DES-MD5 <- same on other site

You might need to re-apply the crypto map again ..

**** re-apply the crypto map to the outside interface

no crypto map outside_map interface outside

crypto map outside_map interface outside

NOTE: is it VERY IMPORTANT that The remote device have the same parameters for phase 1 and 2. the same pre-shared key, the same traffic to be tunneled.

hope it helps .. please rate it if it does

145
Views
0
Helpful
6
Replies