cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
399
Views
0
Helpful
5
Replies

pix vpn problem

flycarthe
Level 1
Level 1

I'm using pix515 in the headoffice and 1700 router in 3 branch offices. There are 3 vpn tunnel between headoffice and branches have been setup and all working.

Now I need to add 4th vpn between headoffice to our new office which has a pix 515. On the headoffice pix running config, I use the existing access-list hdvpn and crypto map map001, I add:

access-list hdvpn permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list ipsec4 permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

crypto map map001 24 ipsec-isakmp

crypto map map001 24 match address ipsec4

crypto map map001 24 set peer 172.22.112.12

crypto map map001 24 set transform-set tran001

isakmp key *********** address 172.22.112.12 netmask 255.255.255.255

I setup the new office's pix as well. But the 4th vpn tunnel doesn't work. When I show crypto ipsec on headoffice pix, 4th IPSec doesn't show up.

I have to make it working but have no idea where the problem is. If anyone can help would be high appreciated.

5 Replies 5

jackko
Level 7
Level 7

just couple things need to clarify:

1. acl hdvpn is used for no nat?

2. crypto map map001 is the same crypto map as the other three?

if so, the config looks fine. however about the other pix? would you post the config as well?

1. acl hdvpn is used for nat:

nat (inside) 0 access-list hdvpn

2. map001 is the same crypto map as the other three.

Should I make the acl hdvpn used for no nat? but it was working for the other 3 vpn.

the existing config with "nat (inside) 0 access-list hdvpn" is fine.

i suspect that the issue is on the other pix. please post the configs.

The new office pix was setup as a basic firewall and working fine. I added vpn in the existing config:

access-list branch04 permit ip 172.16.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list branch04

nat (inside) 1 192.168.1.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set branform04 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map branmap04 10 ipsec-isakmp

crypto map branmap04 10 match address branch04

crypto map branmap04 10 set peer 92.168.1.0

crypto map branmap04 10 set transform-set branform04

crypto map branmap04 interface outside

isakmp enable outside

isakmp key ********** address 92.68.1.0 netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

there is a typo with the config, nat (inside) 1 192.168.1.0 255.255.255.0 as it should be nat (inside) 1 172.16.1.0 255.255.255.0. other than that, the config looks fine.

please verify the pre-shared key. also, if remote vpn access (i.e. dynamic crypto map for road warrior) has been configured on the main office pix, then you need to apply no-xauth and no-config-mode keywords with all the isakmp key commands.

e.g.

isakmp key *********** address 172.22.112.12 netmask 255.255.255.255 no-xauth no-config-mode

one more thing, just wondering if the command "sysopt connection permit-ipsec" has been disabled on the main office pix.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: