Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

site to site vpn problem

site to site vpn tunnel problem

i have set up a test network at home to practice setting up a site to site vpn

using cerificate services for authentication but have run into a problem

ie it does not seem to work.

the steps i have taken so far is that i have configured a microsoft server

as the CA and have installed the mscep add-on both pixes at the each end of

the tunnel have successfully obtained their certificates from the CA

the clocks have been set to GMT on the CA and both pixes and after obtaining

their certificates i have set up the pixes in the following manner

pix 515 which is running ios 7.0

access-list 102 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list 103 permit ip 192.168.5.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 103

route outside 0 0 192.168.4.2

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

sysopt connection permit-ipsec

crypto ipsec transform-set portland esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 102

crypto map vpn 10 set peer 192.168.2.1

crypto map vpn 10 set transform-set portland

crypto map vpn 10 set trustpoint certserver

crypto map vpn interface outside

crypto ca trustpoint certserver

tunnel-group 192.168.5.1 type ipsec-l2l

tunnel-group 192.168.5.1 ipsec-attributes

trust-point certserver

pix 501 which is running ios 6.3

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

nat (inside) 0 access-list 103

route outside 0 0 192.168.2.2

sysopt connection permit-ipsec

crypto ipsec transform-set seattle esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

crypto map vpn 10 match address 101

crypto map vpn 10 set peer 192.168.4.1

crypto map vpn 10 set transform-set seattle

crypto map vpn interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

would appreciate somebody having a look at the above configs and letting me know if

anything is wrong

regards

Melvyn Brown

ps i dont think it is a connectivity problem as i used the network to setup a

site to site vpn using pre-shared keys and it worked perfectly.

  • Other Security Subjects
1 REPLY
Cisco Employee

Re: site to site vpn problem

Melvyn,

You have "Isakmp Identity Address" on your Pix Configuration. If so, that could be an issue for Phase 1 of your VPN Tunnel not coming up.

You have to configure "Isakmp Identity Hostname" when using Certificates and rsa-sig.

In your case, if you have VPN L2L Tunnels or Clients using Pre-shared Keys, then you could configure "Isakmp Identity Auto" and then try to bring up the tunnel, and see if it works.

Please refer the URL for details on the command:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ike.htm

I hope it helps.

Regards,

Arul

107
Views
0
Helpful
1
Replies