10-07-2005 05:54 AM - edited 02-21-2020 02:01 PM
I'm using pix515 in the headoffice and 1700 router in 3 branch offices. There are 3 vpn tunnel between headoffice and branches have been setup and all working.
Now I need to add 4th vpn between headoffice to our new office which has a pix 515. On the headoffice pix running config, I use the existing access-list hdvpn and crypto map map001, I add:
access-list hdvpn permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list ipsec4 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
crypto map map001 24 ipsec-isakmp
crypto map map001 24 match address ipsec4
crypto map map001 24 set peer 172.22.112.12
crypto map map001 24 set transform-set tran001
isakmp key *********** address 172.22.112.12 netmask 255.255.255.255
I setup the new office's pix as well. But the 4th vpn tunnel doesn't work. When I show crypto ipsec on headoffice pix, 4th IPSec doesn't show up.
I have to make it working but have no idea where the problem is. If anyone can help would be high appreciated.
10-07-2005 06:42 AM
just couple things need to clarify:
1. acl hdvpn is used for no nat?
2. crypto map map001 is the same crypto map as the other three?
if so, the config looks fine. however about the other pix? would you post the config as well?
10-07-2005 07:30 AM
1. acl hdvpn is used for nat:
nat (inside) 0 access-list hdvpn
2. map001 is the same crypto map as the other three.
Should I make the acl hdvpn used for no nat? but it was working for the other 3 vpn.
10-08-2005 12:35 AM
the existing config with "nat (inside) 0 access-list hdvpn" is fine.
i suspect that the issue is on the other pix. please post the configs.
10-11-2005 10:13 AM
The new office pix was setup as a basic firewall and working fine. I added vpn in the existing config:
access-list branch04 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (inside) 0 access-list branch04
nat (inside) 1 192.168.1.0 255.255.255.0
sysopt connection permit-ipsec
crypto ipsec transform-set branform04 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map branmap04 10 ipsec-isakmp
crypto map branmap04 10 match address branch04
crypto map branmap04 10 set peer 92.168.1.0
crypto map branmap04 10 set transform-set branform04
crypto map branmap04 interface outside
isakmp enable outside
isakmp key ********** address 92.68.1.0 netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
10-11-2005 04:39 PM
there is a typo with the config, nat (inside) 1 192.168.1.0 255.255.255.0 as it should be nat (inside) 1 172.16.1.0 255.255.255.0. other than that, the config looks fine.
please verify the pre-shared key. also, if remote vpn access (i.e. dynamic crypto map for road warrior) has been configured on the main office pix, then you need to apply no-xauth and no-config-mode keywords with all the isakmp key commands.
e.g.
isakmp key *********** address 172.22.112.12 netmask 255.255.255.255 no-xauth no-config-mode
one more thing, just wondering if the command "sysopt connection permit-ipsec" has been disabled on the main office pix.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: