10-15-2013 06:15 AM
i have already configured site to multi Site VPN in my packet tracer and always only 1 site can connect successfully and the other site cannot continue here is the result from isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
212.76.68.1 172.21.6.1 MM_SA_SETUP 0 0 ACTIVE
109.63.62.1 172.21.6.1 QM_IDLE 1050 0 ACTIVE
>>>>> configuration of may Main Offic Router
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
!
crypto isakmp key cisco address 79.95.25.1
crypto isakmp key cisco address 109.63.62.1
crypto isakmp key cisco address 212.76.68.1
!
!
crypto ipsec transform-set VPN_Trans esp-aes esp-sha-hmac
!
crypto map VPN_Map 1 ipsec-isakmp
set peer 79.95.25.1
set peer 212.76.68.1
set peer 109.63.62.1
set transform-set VPN_Trans
match address NAT_Group
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 172.20.21.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.21.6.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map VPN_Map
!
interface Vlan1
no ip address
shutdown
!
router rip
!
ip nat inside source list NAT1 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip access-list extended NAT_Group
permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255
permit ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended NAT1
deny ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255
deny ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended NAT
permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255
ip access-list extended NAT2
permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
10-15-2013 09:19 AM
when you have multiple peers in the same crypto map, they act as backups for each other; if one answers and establishes an SA, the router doesn't try the others...
each site-to-site should have its own crypto map entry :
crypto map VPN_Map 1 ipsec-isakmp
crypto map VPN_Map 2 ipsec-isakmp...
Patrick
10-15-2013 08:30 PM
Dear Mr. Patrick,
thank you for your reply.
so you advises for the Core Office i must have separate crypto map for each site? like this sample below?
crypto map VPN_Map 1 ipsec-isakmp
set peer 79.95.25.1
set transform-set VPN_Trans
match address NAT_Group
crypto map VPN_Map 2 ipsec-isakmp
set peer 212.76.68.1
set transform-set VPN_Trans
match address NAT_Group
crypto map VPN_Map 3 ipsec-isakmp
set peer 109.63.62.1
set transform-set VPN_Trans
match address NAT_Group
10-16-2013 06:56 AM
same crypto map different entries, yes.
you can only apply 1 crypto map per interface...
you need a different access-list for each entry also.
example core = 10.1.1.0/24
site 1 = 10.1.31.0/24
site 2 = 10.1.32.0/24
acl VPN1 permit 10.1.1.0/24 10.1.31.0/24 applied to corresponding map entry
acl VPN2 permit 10.1.1.0/24 10.1.32.0/24 applied to the other map entry...
Patrick
10-16-2013 06:59 AM
okay i will create separate ACL for each mp...but my only problem is i am only using 1 interface for WAN in may core office....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: