client and L2L VPN from same IP

mbell · ‎08-28-2006

I have seen some other posts related to this topic but I've got a strange problem. I have a PC located at site 1 behind a 2801. This 2801 has L2L tunnels to two other sites, site 2 and site 3 using the 2801's outside IP address as the terminating IP. Sites 2 and 3 both have PIX 501s. PCs behind the 2801 are PAT'd to the 2801's outside IP address. From a PC behind the 2801, I can VPN to the PIX at site 2 but cannot VPN to the PIX at site 3. It gets hung at "securing communications channel". If I statically NAT my PC to another Internet IP address on the 2801, I can VPN to site 3 with no problem but as soon as I remove the static NAT and it starts PAT'ing to the 2801's outside IP address again, I can no longer VPN to site 3 but can still VPN to site 2. The VPN portions of the PIX configs are attached. It does not seem to me like it could be a problem with the 2801 because its ACL and NAT entries do not distinguish between the two remote sites. Any ideas what might be going on here and how to fix it? Thanks!

p.krane · ‎09-01-2006

Check the configurations in the following URL to enable split tunneling

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a00806370f9.html

mbell · ‎09-08-2006

It seems that the problem is a difference between 6.3(4) and 6.3(5). The PIX at Site2 (the one I could connect to) is running 6.3(4) while the PIX at Site3 has 6.3(5). In 6.3(5), the PIX tries to apply the static crypto map instance configuration (i.e. encryption and PFS settings) to the dynamic connection. As soon as I changed my static crypto map entry at Site3 to use 3DES and removed PFS, the client tunnel came right up.

Before saving the config, I downgraded to 6.3(4) and the client tunnel came up with no config changes. I still had DES and PFS configured in the static crypto map entry. I re-upgraded to 6.3(5) and again, the client would not connect until I removed PFS and changed the transform set to use 3DES.