Re: starting site to site vpn between pix 501's - Page 2

techsitc10 · ‎11-05-2007

Hi

Another newbie question. I'm trying to add a site to site vpn between two pix 501's as well as the basic software access vpn to site 1. At present however I can't get the 2nd site to connect. This may be because they both go through separate routers to get to the internet. Although I'm not sure this makes a difference as they map straight through the external routers.

My set-up is like this:

pix 1: internal network 192.168.10.x

between pix and router 192.168.111.x

external ip: 83.166.180.99

to which I can connect software vpn clients no problem.

pix 2: internal ip: 192.168.20.x

between pix and router 192.168.120.x

external ip: 83.166.180.100

I've attached the results from the show crypto map command and the show ipsec command from pix 2.

I've attached the config from pix2 as well, which mirrors the info at pix 1 apart from the ip's being different.

any help would be appreciated

thanks

Suzanne

jwalker · ‎11-08-2007

Have you verified that the pre-shared keys are exactly the same? I would check there first.

Jay

techsitc10 · ‎11-08-2007

Hi

Yes Have re-entered both keys to check. Same message. :-)

Suzanne

mark.hansel · ‎11-08-2007

Suzanne,

Try adding this line to tie your static crypto map to your dynamic map

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

Also make sure that your encryption lists are exact mirrors of each other on both ends of the tunnel.

Mark.

techsitc10 · ‎11-08-2007

Hi Mark

I had wondered how they tied together!

When I try to add that I get the following error:

Dynamic map entry already in use

ERROR: Unable to initialized crypto map entry

Command failed

the entry I have on each pix is identical except instead of 20 I have a value of 65535.

if i actually remove this entry then i lose connection with my current software vpn.

and the encryption lists appear to be the same.

Any other suggestions ?

mark.hansel · ‎11-08-2007

Sorry I didn't see that line, but what's happening now is that your not matching your phase 1 configuration. Save your existing configuration, delete the existing crypto map entries and try this:

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map 20 match address 101

crypto map outside_map 20 set peer 83.166.180.99

crypto map outside_map 20 set transform-set vpnset

crypto map outside_map interface outside

The line that's making it not work right now is this:

crypto map outside_map 20 ipsec-isakmp

Should work.

Mark

techsitc10 · ‎11-08-2007

Hi Mark,

That makes a lot more sense. I'll let you know how I get on.

Thanks

Suzanne

techsitc10 · ‎11-09-2007

Hi Mark,

Have added that. Strangely it doesn't seem to show the

crypto map outside_map 20 match address 101

crypto map outside_map 20 set peer 83.166.180.99

crypto map outside_map 20 set transform-set vpnset

crypto map outside_map interface outside

in the show config file anymore but if i look at a show crypto ipsec sa then it's certainly got the right information.

I no longer get any response when I post

show crypto map isakmp sa though.

it comes up blank.

Any more ideas ?

Thanks for all your helps so far.

Suzanne