HELP - Pix to Pix VPN on 2 interfaces

jaredmiller · ‎05-09-2006

Hi,

I am really stuck on this one. I want to configure a VPN between 3 pix 515 devices. PixA will connect to PixB and PixC, but pixB and PixC will not connect directly.

I have successfully created the VPN between PixA and PixB. I am now trying to configure PixA to connect to PixC on another interface (ethernet2), and the ISAKMP phase 2 is failing with a "SA NOT ACCEPTABLE" error. I relaxed my acl to accept any ip, but am no farther ahead.

Questions:

Can I use the same ACL for both tunnels?

That is what I am trying to do...

Can I simply create a new map and apply it to ethernet2, and use the same isakmp policy?

Here is the crypto / isakmp configs. Again, PixA to PixB works. PixA to PixC does not.

PixA:

ip address outside xxx.yyy.6.19 255.255.255.248

ip address inside 192.168.3.5 255.255.255.0

ip address outside2 aaa.bbb.80.80 255.255.255.0

...

access-list 101 permit ip any any

access-list outside_access_in permit ip any 192.168.3.0 255.255.255.0

access-list outside_access_in permit ip any aaa.bbb.80.0 255.255.255.0

...

access-group outside_access_in in interface outside

access-group outside_access_in in interface outside2

...

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac

crypto map map1 1 ipsec-isakmp

crypto map map1 1 match address 101

crypto map map1 1 set peer xxx.yyy.6.20

crypto map map1 1 set transform-set strong

crypto map map1 interface outside

crypto map map2 1 ipsec-isakmp

crypto map map2 1 match address 101

crypto map map2 1 set peer aaa.bbb.80.90

crypto map map2 1 set transform-set strong

crypto map map2 interface outside2

isakmp enable outside

isakmp enable outside2

isakmp key ******** address xxx.yyy.6.20 netmask 255.255.255.255

isakmp key ******** address aaa.bbb.80.90 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash md5

isakmp policy 1 group 5

isakmp policy 1 lifetime 86400

PixB:

...

access-list 101 permit ip any any

access-list outside_access_in permit ip any host 192.168.1.0

access-group outside_access_in in interface outside

...

ip address outside xxx.yyy.6.20 255.255.255.0

ip address inside 192.168.1.17 255.255.255.252

...

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac

crypto map map1 1 ipsec-isakmp

crypto map map1 1 match address 101

crypto map map1 1 set peer xxx.yyy.6.19

crypto map map1 1 set transform-set strong

crypto map map1 interface outside

isakmp enable outside

isakmp key ******** address xxx.yyy.6.19 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash md5

isakmp policy 1 group 5

isakmp policy 1 lifetime 86400

PixC:

...

ip address outside aaa.bbb.80.90 255.255.255.0

ip address inside 10.10.10.17 255.255.255.252

...

access-list 101 permit ip any any

access-list outside_access_in permit ip any host 10.10.10.0

access-group outside_access_in in interface outside

...

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-aes-256 esp-md5-hmac

crypto map map1 1 ipsec-isakmp

crypto map map1 1 match address 101

crypto map map1 1 set peer aaa.bbb.80.80

crypto map map1 1 set transform-set strong

isakmp enable outside

isakmp key ******** address aaa.bbb.80.80 netmask 255.255.255.255

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption aes-256

isakmp policy 1 hash md5

isakmp policy 1 group 5

isakmp policy 1 lifetime 86400

I would really appreciate any help you may offer.

P.O

dmease · ‎05-11-2006

You cant use the same access list for two different tunnels. When the packet gets to the PIX, how will it know which tunnel to go down?

Are the networks the same at site B and C? What are you trying to achieve?