Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
1
Replies

Multiple Site-Site VPN Tunnel on a Single PiX Firewall

dasgill
Level 1
Level 1

‎02-05-2008 01:06 AM - edited ‎02-21-2020 03:32 PM

I cureently have a site to site VPN tunnel (VPN1) between HK (Pix ver 6.1(2) & Leeds (ASA version 7.2(2). I am in the process of migrating the VPN tunnel to a newly deployed 10 Mb internet link in Leeds which has a Pix 506E Ver 7.0(2). I have decided to create a 2nd VPN tunnel to HK (VPN2) and will shutdown VPN1 when VPN2 is up.

On the HK PIX I am using the same isakmp policy, transform-set and have created another crypto map for the the new VPN (VPN2).

On passing intersting traffic to establish the new tunnel for the Leeds end, I am gettting the following debugging errors.

Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!

Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 192.168.0.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

Site HK - PIX1(192.168.0.1)

crypto ipsec transform-set chevvie esp-des esp-md5-hmac

(crypto map for existing VPN (VPN1)

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 192.168.0.2

crypto map transam 1 set transform-set chevvie

(New Crpto Map for new VPN (VPN2)

crypto map transam 2 ipsec-isakmp

crypto map transam 2 match address 101

crypto map transam 2 set peer 192.168.0.3

crypto map transam 2 set transform-set chevvie

crypto map transam interface outside

isakmp enable outside

isakmp key ****** address 192.168.0.2 netmask 255.255.255.255

isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp am-disable

floodguard enable

sysopt connection permit-ipsec

no sysopt route dnat

Site - Leeds PIX2 (192.168.0.3)

crypto ipsec transform-set ford esp-des esp-md5-hmac

crypto map VPNHK 2 match address outside_crypto_acl

crypto map VPNHK 2 set peer 192.168.0.1

crypto map VPNHK 2 set transform-set ford

crypto map VPNHK interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp am-disable

tunnel-group 192.168.0.1 type ipsec-l2l

tunnel-group 192.168.0.1 ipsec-attributes

pre-shared-key ev0lut10n

sysopt connection permit-ipsec

Your assistance will be grately appreciated.

Labels:
0 Helpful
1 Reply 1

koltl-gold
Level 1
Level 1

‎02-06-2008 04:52 AM

How could the HK PIX decide which tunnel to use if you apply the same ACL to both? You have to choose a different subnet to Leeds2.

Peter

0 Helpful
Customers Also Viewed These Support Documents