11-05-2007 03:04 AM - edited 02-21-2020 03:21 PM
Hi
Another newbie question. I'm trying to add a site to site vpn between two pix 501's as well as the basic software access vpn to site 1. At present however I can't get the 2nd site to connect. This may be because they both go through separate routers to get to the internet. Although I'm not sure this makes a difference as they map straight through the external routers.
My set-up is like this:
pix 1: internal network 192.168.10.x
between pix and router 192.168.111.x
external ip: 83.166.180.99
to which I can connect software vpn clients no problem.
pix 2: internal ip: 192.168.20.x
between pix and router 192.168.120.x
external ip: 83.166.180.100
I've attached the results from the show crypto map command and the show ipsec command from pix 2.
I've attached the config from pix2 as well, which mirrors the info at pix 1 apart from the ip's being different.
any help would be appreciated
thanks
Suzanne
11-08-2007 06:30 AM
Have you verified that the pre-shared keys are exactly the same? I would check there first.
Jay
11-08-2007 06:40 AM
Hi
Yes Have re-entered both keys to check. Same message. :-)
Suzanne
11-08-2007 07:04 AM
Suzanne,
Try adding this line to tie your static crypto map to your dynamic map
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
Also make sure that your encryption lists are exact mirrors of each other on both ends of the tunnel.
Mark.
11-08-2007 07:14 AM
Hi Mark
I had wondered how they tied together!
When I try to add that I get the following error:
Dynamic map entry already in use
ERROR: Unable to initialized crypto map entry
Command failed
the entry I have on each pix is identical except instead of 20 I have a value of 65535.
if i actually remove this entry then i lose connection with my current software vpn.
and the encryption lists appear to be the same.
Any other suggestions ?
11-08-2007 07:39 AM
Sorry I didn't see that line, but what's happening now is that your not matching your phase 1 configuration. Save your existing configuration, delete the existing crypto map entries and try this:
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 83.166.180.99
crypto map outside_map 20 set transform-set vpnset
crypto map outside_map interface outside
The line that's making it not work right now is this:
crypto map outside_map 20 ipsec-isakmp
Should work.
Mark
11-08-2007 09:05 AM
Hi Mark,
That makes a lot more sense. I'll let you know how I get on.
Thanks
Suzanne
11-09-2007 01:41 AM
Hi Mark,
Have added that. Strangely it doesn't seem to show the
crypto map outside_map 20 match address 101
crypto map outside_map 20 set peer 83.166.180.99
crypto map outside_map 20 set transform-set vpnset
crypto map outside_map interface outside
in the show config file anymore but if i look at a show crypto ipsec sa then it's certainly got the right information.
I no longer get any response when I post
show crypto map isakmp sa though.
it comes up blank.
Any more ideas ?
Thanks for all your helps so far.
Suzanne
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: