Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
391
Views
0
Helpful
4
Replies

PIX multiple VPN's

stepaneurope
Level 1
Level 1

‎10-25-2005 02:03 AM - edited ‎02-21-2020 02:03 PM

Hi,

I am using pix515 and 506 (v 634) with pdm (v 302).

I can get a site to site tunnel up and going ,although if I want to add more than 1 tunnel, it's not working.

I get the following error:

[ERR]crypto map outside_map 40 set peer 83.206.14.109

WARNING: This crypto map is incomplete.

To remedy the situation add a peer and a valid access-list to this crypto map.

I have repeat thing a lot of time, and always get the same error on any device.

Always when creating the 2nd tunnel. Using the same procedure is fine when creating the first tunnel.

Is there something to do, before creating a 2nd tunnel???

Thanks for your help

Cedric

Labels:
0 Helpful
4 Replies 4

a.kiprawih
Level 7
Level 7

‎10-25-2005 02:11 AM

Hi Cedric,

It's something to do with the VPN configuration. Can you post the config to have a better look at it?

Rgds,

AK

0 Helpful

stepaneurope
Level 1
Level 1
In response to a.kiprawih

‎10-25-2005 04:23 AM

what info do you exactly need? i only use the pdm, how can i export the vpn conf?

0 Helpful

stepaneurope
Level 1
Level 1
In response to a.kiprawih

‎10-25-2005 05:28 AM

here is the conf:

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 83.206.2x.1x

crypto map outside_map 20 set transform-set ESP-DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 83.206.2x.1x netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

0 Helpful

a.kiprawih
Level 7
Level 7
In response to stepaneurope

‎10-25-2005 08:56 PM

Hi,

From the error msg, I can see you're trying to add another crypto map (outside_map 40) and bind it to the outside interface. This is not possible as only one (1) crypto map is accepted.

What you do is to add your new VPN peer (ip address) to the existing crypto map 20. For the transform set, you may use different set or same name (if policy is still the same). Example:

crypto map outside_map 20 set peer 83.206.14.109

crypto map outside_map 20 set transform-set ESP-3DES-MD5

For isakmp policy, you may the same or different priority no, e.g isakmp policy 40 ...., with different encryption, hash, group & lifetime value. You need to maintain the authentication method using pre-share, except for different key between peers.

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption xxx

isakmp policy 40 hash xxx

isakmp policy 40 group xxx

isakmp policy 40 lifetime xxx

Next, add the new key and new peer VPN address.

isakmp key ******** address 83.206.2x.1x netmask 255.255.255.255 no-xauth no-config-mode #existing

isakmp key address 83.206.14.109 netmask 255.255.255.255 no-xauth no-config-mode #NEW!

Last, make sure to bind your ACL allowing your local subnet to talk to the remote subnet on the correct interface, e,g nat (inside) 0 access-list yyy.

This should be similar to your existing ACL and NAT 0.

Hope this can help.

Rgds,

AK

0 Helpful
Customers Also Viewed These Support Documents