10-25-2005 02:03 AM - edited 02-21-2020 02:03 PM
Hi,
I am using pix515 and 506 (v 634) with pdm (v 302).
I can get a site to site tunnel up and going ,although if I want to add more than 1 tunnel, it's not working.
I get the following error:
[ERR]crypto map outside_map 40 set peer 83.206.14.109
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
I have repeat thing a lot of time, and always get the same error on any device.
Always when creating the 2nd tunnel. Using the same procedure is fine when creating the first tunnel.
Is there something to do, before creating a 2nd tunnel???
Thanks for your help
Cedric
10-25-2005 02:11 AM
Hi Cedric,
It's something to do with the VPN configuration. Can you post the config to have a better look at it?
Rgds,
AK
10-25-2005 04:23 AM
what info do you exactly need? i only use the pdm, how can i export the vpn conf?
10-25-2005 05:28 AM
here is the conf:
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 83.206.2x.1x
crypto map outside_map 20 set transform-set ESP-DES-MD5
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 83.206.2x.1x netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
10-25-2005 08:56 PM
Hi,
From the error msg, I can see you're trying to add another crypto map (outside_map 40) and bind it to the outside interface. This is not possible as only one (1) crypto map is accepted.
What you do is to add your new VPN peer (ip address) to the existing crypto map 20. For the transform set, you may use different set or same name (if policy is still the same). Example:
crypto map outside_map 20 set peer 83.206.14.109
crypto map outside_map 20 set transform-set ESP-3DES-MD5
For isakmp policy, you may the same or different priority no, e.g isakmp policy 40 ...., with different encryption, hash, group & lifetime value. You need to maintain the authentication method using pre-share, except for different key between peers.
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption xxx
isakmp policy 40 hash xxx
isakmp policy 40 group xxx
isakmp policy 40 lifetime xxx
Next, add the new key and new peer VPN address.
isakmp key ******** address 83.206.2x.1x netmask 255.255.255.255 no-xauth no-config-mode #existing
isakmp key
Last, make sure to bind your ACL allowing your local subnet to talk to the remote subnet on the correct interface, e,g nat (inside) 0 access-list yyy.
This should be similar to your existing ACL and NAT 0.
Hope this can help.
Rgds,
AK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide