I have a working VPN tunnel between a remote site with a 1720 and at HQ with a 515 Pix. I am trying to establish another tunnel from another remote site with a 2620 to the same inteface on the Pix. I used the the config from the following URL as a base http://www.cisco.com/warp/public/110/pixhubspoke.html. I have been able to successfully create the tunnel from the new remote site by itself, but not both tunnels at the same time. I am running all the debug crypto commands on both the router and the Pix. It does not even look like it is trying to establish an ISAKMP sa. The only debug I have got from the 2620 at the remote site is CYRPTO_ENGINE key generation suspended and continued. Any ideas?
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
On the 515 PIX you need a map set for each peer. That is not clear in the documentation. You can't just list peers. For example below are sets 34 and 136. I don't know the limit of sets but the documentation says we can have 2000 vpn tunnels.
crypto map WICmap 34 ipsec-isakmp
crypto map WICmap 34 match address ACL34
crypto map WICmap 34 set peer 18.104.22.168
crypto map WICmap 34 set transform-set WICTransform
crypto map WICmap 136 ipsec-isakmp
crypto map WICmap 136 match address ACL136
crypto map WICmap 136 set peer 22.214.171.124
crypto map WICmap 136 set transform-set WICTransform
Thanks for your reply. My problem with my config is that I was using the same access-list for both destination tunnels in both sequences of my crypto map. Because I was using the same access-list for inbound traffic from both sites on the Pix, I thought you had to use the same access-list for outgoing traffic from the Pix. As an example I created a supernet on the Pix:
Central Pix = access-list Pix 192.168.0.0 255.255.252.0
Router A = access-list A 192.168.1.0 255.255.255.0
Router B = access-list B 192.168.2.0 255.255.255.0
So the subnet on the access-list on the Pix would cover both subnets on the remote routers. That will not work so I changed to 2 different access-list on the Pix.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...