03-23-2006 12:26 PM - edited 03-09-2019 02:22 PM
I have a 3825 router which is connected to site A (172.16.2.14) and site B (172.16.2.10) routers via 2 diffrent links.
I configured crypto maps on the Hub router with differnet sequence numbers with Site A as the primary peer for network 172.32.40.0/24 except 172.32.40.240/28 and site B as Backup.
The network 172.32.40.240/28 has a primary peer to the site B and Site A as backup.
But whenever i configure a second peer on the 2nd crypto map it does not work and tries to connect only to 172.16.2.14 and no to 172.16.2.10.
My configuratrions on the hUb router are as follows
Please let me know if iam missing something in my configurations
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxx address 172.x.x.14
crypto isakmp key xxxx address 172.x.x.10
crypto isakmp keepalive 10 5 periodic
no crypto isakmp ccm
!
!
crypto ipsec transform-set Schwab esp-3des esp-md5-hmac
!
crypto map Ser0 1 ipsec-isakmp
set peer 172.16.2.14 default
set peer 172.16.2.10
set security-association idle-time 60 default
set transform-set Schwab
match address 115
crypto map Ser0 2 ipsec-isakmp
set peer 172.16.2.10 default
set peer 172.16.2.14
set security-association idle-time 60 default
set transform-set Schwab
match address 116
access-list 115 deny ip host 172.32.40.100 162.93.0.0 0.0.255.255
access-list 115 deny ip host 172.32.40.100 192.168.0.0 0.0.255.255
access-list 115 deny ip host 172.32.40.100 10.0.0.0 0.255.255.255
access-list 115 deny ip 172.32.40.240 0.0.0.15 10.0.0.0 0.255.255.255
access-list 115 deny ip 172.32.40.240 0.0.0.15 162.93.0.0 0.0.255.255
access-list 115 deny ip 172.32.40.240 0.0.0.15 192.168.0.0 0.0.255.255
access-list 115 permit ip 172.32.40.0 0.0.0.255 162.93.0.0 0.0.255.255
access-list 115 permit ip 172.32.40.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 115 permit ip 172.32.40.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 116 permit ip 172.32.40.240 0.0.0.15 10.0.0.0 0.255.255.255
access-list 116 permit ip 172.32.40.240 0.0.0.15 162.93.0.0 0.0.255.255
access-list 116 permit ip 172.32.40.240 0.0.0.15 192.168.0.0 0.0.255.255
03-25-2006 09:15 AM
Narayan
I believe that there is a simple explanation for your symptoms. All the traffic that would be permitted in access list 116 is also permitted in access list 115. As the crypto map is processed from beginning to end the traffic matches the access list in the first part of the crypto map and never gets to the second part of the crypto map. If you want the second part of the crypto map to see the traffic you need to add this to the beginning of access list 115.
access-list 115 deny ip 172.32.40.240 0.0.0.15 10.0.0.0 0.255.255.255
access-list 115 deny ip 172.32.40.240 0.0.0.15 162.93.0.0 0.0.255.255
access-list 115 deny ip 172.32.40.240 0.0.0.15 192.168.0.0 0.0.255.255
Try it and let us know how it works.
HTH
Rick
03-25-2006 12:36 PM
Hi Rick,
I have denied these traffic from the first access-list. If you go through the 4,5 & 6 th line of access-list 115 u will come to know.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide