Site to Multi Site VPN thru NAT

Jackong · ‎10-15-2013

i have already configured site to multi Site VPN in my packet tracer and always only 1 site can connect successfully and the other site cannot continue here is the result from isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

212.76.68.1 172.21.6.1 MM_SA_SETUP 0 0 ACTIVE

109.63.62.1 172.21.6.1 QM_IDLE 1050 0 ACTIVE

>>>>> configuration of may Main Offic Router

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

crypto isakmp policy 1

encr aes

authentication pre-share

!

crypto isakmp key cisco address 79.95.25.1

crypto isakmp key cisco address 109.63.62.1

crypto isakmp key cisco address 212.76.68.1

!

crypto ipsec transform-set VPN_Trans esp-aes esp-sha-hmac

!

crypto map VPN_Map 1 ipsec-isakmp

set peer 79.95.25.1

set peer 212.76.68.1

set peer 109.63.62.1

set transform-set VPN_Trans

match address NAT_Group

!

spanning-tree mode pvst

!

interface FastEthernet0/0

ip address 172.20.21.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.21.6.1 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map VPN_Map

!

interface Vlan1

no ip address

shutdown

!

router rip

!

ip nat inside source list NAT1 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

ip access-list extended NAT_Group

permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

permit ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended NAT1

deny ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

deny ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended NAT

permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255

ip access-list extended NAT2

permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255

!

no cdp run

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Patrick Moubarak · ‎10-15-2013

when you have multiple peers in the same crypto map, they act as backups for each other; if one answers and establishes an SA, the router doesn't try the others...

each site-to-site should have its own crypto map entry :

crypto map VPN_Map 1 ipsec-isakmp

crypto map VPN_Map 2 ipsec-isakmp...

Patrick

Jackong · ‎10-15-2013

Dear Mr. Patrick,

thank you for your reply.

so you advises for the Core Office i must have separate crypto map for each site? like this sample below?

crypto map VPN_Map 1 ipsec-isakmp

set peer 79.95.25.1

set transform-set VPN_Trans

match address NAT_Group

crypto map VPN_Map 2 ipsec-isakmp

set peer 212.76.68.1

set transform-set VPN_Trans

match address NAT_Group

crypto map VPN_Map 3 ipsec-isakmp

set peer 109.63.62.1

set transform-set VPN_Trans

match address NAT_Group

Patrick Moubarak · ‎10-16-2013

same crypto map different entries, yes.

you can only apply 1 crypto map per interface...

you need a different access-list for each entry also.

example core = 10.1.1.0/24

site 1 = 10.1.31.0/24

site 2 = 10.1.32.0/24

acl VPN1 permit 10.1.1.0/24 10.1.31.0/24 applied to corresponding map entry

acl VPN2 permit 10.1.1.0/24 10.1.32.0/24 applied to the other map entry...

Patrick

Jackong · ‎10-16-2013

okay i will create separate ACL for each mp...but my only problem is i am only using 1 interface for WAN in may core office....