06-27-2006 02:45 AM - edited 02-21-2020 02:30 PM
hi,
I have Site to site VPN tunnel between my Headoffice and Branch office-1, both the ends, we are using PIX firewalls.
we have another Branch office-2 here we are using cisco 1721 router, I want to establish a VPN tunnel between My PIX (headoffice) and router(branch office-2)
Any suggestions would be greatly appreciated.
Kindly check the following attached Networklayout and PIX(headoffice) ipsec config.
thanks for any comments.
06-27-2006 05:59 AM
Here is a basic config of what you would need to put on your router for the tunnel:
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
ip access-list extended encrypt-acl
permit
crypto map outside_map
crypto map outside_map 10 ipsec-isakmp
set peer
set transform-set ESP-3DES-SHA
match address encrypt-acl
interface FastEthernet1/0
ip address
no shut
crypto map outside_map
On your pix, you would just need to add another crypto segment for your new site-to-site tunnel.
Hope this helps.
06-29-2006 04:03 AM
hello sean,
Thanks for the reply.
can u please mention the required crypto segment for the pix ,, because i try to add on my pix.
At that time my existing pix to pix tunnel got disconnected.
mike
06-29-2006 06:44 AM
Your tunnel dropped probably because you tried to use two
crypto map example_map 10 set peer 64.xxx.xxx.xxx.120
at the same time. To fix this, you will need to add the following:
crypto map example_map 20 ipsec-isakmp
crypto map example_map 20 match address 102
crypto map example_map 20 set peer
crypto map example_map 20 set transform-set cisco2
You will also need to create a new acl to define the traffic that is to be encrypted and sent across this new tunnel. I change the config to show 102 instead of 101, but you can use any number that is not currently in use.
Hope this helps.
07-01-2006 01:19 AM
07-01-2006 05:53 AM
07-01-2006 06:23 AM
Do you have the proper routes configured for the remote end subnets?
07-01-2006 07:36 AM
hi,
'YES' Routes are perfect .
Thanks
07-01-2006 07:54 AM
On the router the crypto map is not applied to an interface. You need to apply the crypto map outside_map to an interface.
07-01-2006 11:49 AM
In addition to the crypto map not being applied to an interface, the transform set that you are using on each sides does not match. On the router you are using 3DES and SHA, but on your pix you are using DES and MD5. I would match both of these to 3DES and SHA. Also, NAT is attempted first before kicking traffic to the crypto engine. You will needed to modify your NAT acls on both devices to deny the tunnel traffic first, then permit the traffic you want. After that, your tunnel traffic will be kicked to the crypto engine and go across the tunnel.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide