Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX multiple VPN's


I am using pix515 and 506 (v 634) with pdm (v 302).

I can get a site to site tunnel up and going ,although if I want to add more than 1 tunnel, it's not working.

I get the following error:

[ERR]crypto map outside_map 40 set peer

WARNING: This crypto map is incomplete.

To remedy the situation add a peer and a valid access-list to this crypto map.

I have repeat thing a lot of time, and always get the same error on any device.

Always when creating the 2nd tunnel. Using the same procedure is fine when creating the first tunnel.

Is there something to do, before creating a 2nd tunnel???

Thanks for your help



Re: PIX multiple VPN's

Hi Cedric,

It's something to do with the VPN configuration. Can you post the config to have a better look at it?



New Member

Re: PIX multiple VPN's

what info do you exactly need? i only use the pdm, how can i export the vpn conf?

New Member

Re: PIX multiple VPN's

here is the conf:

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 83.206.2x.1x

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 83.206.2x.1x netmask no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Re: PIX multiple VPN's


From the error msg, I can see you're trying to add another crypto map (outside_map 40) and bind it to the outside interface. This is not possible as only one (1) crypto map is accepted.

What you do is to add your new VPN peer (ip address) to the existing crypto map 20. For the transform set, you may use different set or same name (if policy is still the same). Example:

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set ESP-3DES-MD5

For isakmp policy, you may the same or different priority no, e.g isakmp policy 40 ...., with different encryption, hash, group & lifetime value. You need to maintain the authentication method using pre-share, except for different key between peers.

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption xxx

isakmp policy 40 hash xxx

isakmp policy 40 group xxx

isakmp policy 40 lifetime xxx

Next, add the new key and new peer VPN address.

isakmp key ******** address 83.206.2x.1x netmask no-xauth no-config-mode #existing

isakmp key address netmask no-xauth no-config-mode #NEW!

Last, make sure to bind your ACL allowing your local subnet to talk to the remote subnet on the correct interface, e,g nat (inside) 0 access-list yyy.

This should be similar to your existing ACL and NAT 0.

Hope this can help.