01-11-2007 06:33 AM
I have this schema:
CompanyA CompanyB
inIP:192.168.2.0 192.168.1.0
exIP:aaa.bbb.107.96 xxx.yyy.97.34/28
I need to configure site tosite VPN between but something is wrong. I?ll appreciate any help.The vpn for remote users woks fine.Thanks
CompanyB:
access-list bypassingnat permit ip 192.168.1.0 255.255.255.0
192.168.10.0 255.255.255.0
access-list bypassingnat permit ip 192.168.1.0 255.255.255.0
192.168.6.0 255.255.255.0
access-list bypassingnat permit ip 192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
access-list CompanyC permit ip 192.168.1.0 255.255.255.0 192.168.10.0
255.255.255.0
access-list CompanyA permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
ip address outside xxx.yyy.97.34 255.255.255.240
ip address inside 192.168.1.5 255.255.255.0
ip local pool clientpool 192.168.6.210-192.168.6.220
global (outside) 1 xxx.yyy.97.43
nat (inside) 0 access-list bypassingnat
nat (inside) 1 172.16.100.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.97.33 1
route inside 172.16.100.0 255.255.255.0 192.168.1.1 1
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp
crypto map newmap 20 match address CompanyC
crypto map newmap 20 set peer xxx.yyy.97.50
crypto map newmap 20 set transform-set myset
crypto map newmap 25 ipsec-isakmp
crypto map newmap 25 match address CompanyA
crypto map newmap 25 set peer aaa.bbb.107.96
crypto map newmap 25 set transform-set myset
crypto map newmap 30 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255
isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 1
isakmp policy 10 lifetime 14400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 14400
vpngroup CHerndon address-pool clientpool
?.
CompanyA:
access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0
255.255.255.0
access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list bypassingnat permit ip 192.168.2.0 255.255.255.0 10.1.1.0
255.255.255.0
access-list bypassingnat permit ip 192.168.2.0 255.255.255.0
192.168.1.0 255.255.255.0
ip address outside aaa.bbb.107.96 255.255.252.0
ip address inside 192.168.2.2 255.255.255.0
ip local pool clientpool 10.1.1.10-10.1.1.36
global (outside) 1 aaa.bbb.107.103 netmask 255.255.255.0
nat (inside) 0 access-list bypassingnat
nat (inside) 1 192.168.2.0 255.255.255.0 0 0
access-group out_inside in interface outside
access-group in_out in interface inside
route outside 0.0.0.0 0.0.0.0 aaa.bbb.104.1 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address CompanyB
crypto map newmap 10 set peer xxx.yyy.97.34
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
crypto map vpngroup client authentication TACACS+
isakmp enable outside
isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup svinzant address-pool clientpool
?
01-11-2007 10:24 AM
Hi,
This is seen really often when having remote clients and site-to-site on the same machine.
Add the following keywords to the site-to-site keys:
isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255 no-xauth no-config-mode
That should do it.
Please rate if this helped.
Regards,
Daniel
01-12-2007 06:17 AM
I try this but unfortunately it doesn't help.
I we also have CompanyC connected with CompanyB with VPN and everythig is smooth between these two sites. The problem is just between A and B.
I'll post Company C config if this will help:
CompanyC:
access-list acl_outside permit icmp any any echo-reply
access-list acl_inside permit ip any any
access-list 101 permit ip 192.168.11.0 255.255.255.0 10.10.8.16
255.255.255.240
access-list 103 permit ip 192.168.10.0 255.255.255.0 10.10.8.32
255.255.255.240
access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.16
255.255.255.240
access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.32
255.255.255.240
access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0
access-list CompanyB permit ip 192.168.10.0 255.255.255.0 192.168.1.0
255.255.255.0
ip address outside xxx.yyy.97.50 255.255.255.248
ip address inside 10.10.8.1 255.255.255.0
ip local pool eespool 10.10.8.17-10.10.8.30
ip local pool localpool 10.10.8.33-10.10.8.46
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 192.168.10.0 255.255.255.0 0 0
nat (inside) 1 192.168.11.0 255.255.255.0 0 0
static (inside,outside) xxx.yyy.97.53 192.168.10.20 netmask
255.255.255.255 0 0
access-group acl_outside in interface outside
access-group acl_inside in interface inside
conduit permit icmp any any
route outside 0.0.0.0 0.0.0.0 10.10.1.1 1
route inside 192.168.10.0 255.255.255.0 10.10.8.2 1
route inside 192.168.11.0 255.255.255.0 10.10.8.2 1
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set des esp-des esp-md5-hmac
crypto dynamic-map cisco 4 set transform-set des
crypto map partner-map 15 ipsec-isakmp
crypto map partner-map 15 match address CompanyB
crypto map partner-map 15 set peer xxx.yyy.97.34
crypto map partner-map 15 set transform-set myset
crypto map partner-map 20 ipsec-isakmp dynamic cisco
crypto map partner-map interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255
isakmp identity address
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 28800
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup eeshome address-pool eespool
vpngroup eeshome dns-server 12.127.16.68
vpngroup eeshome wins-server 192.168.10.20
vpngroup eeshome default-domain CompanyB.com
vpngroup eeshome split-tunnel 101
vpngroup eeshome idle-time 1800
vpngroup eeshome password ********
01-13-2007 08:23 AM
Hi,
GOT IT :)
On Company A PIX add:
isakmp identity address
Please rate if this helped.
Regards,
Daniel
01-15-2007 06:46 AM
Daniel, thanks you trying to help.
I applied on CompanyA
isakmp identity address
but it doesn't work. Later I applied this command to Company B, but it doesnt work either. In meantime the VPN between CompB and CompC still works fine.
when I check CompanyA
>access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=7723)
The high hitcount shows that traffic is certainly getting from A to B
The same acl on B shows an increasing hitcounter
> access-list CompanyA line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=424)
But, there is no QM_IDLE SA except for remote clients.
CompanyA(config)# show crypto is sa
Total : 5
Embryonic : 0
dst src state pending created
aaa.bbb.107.96 z.91.123.251 QM_IDLE 0 3
aaa.bbb.107.96 z.50.251.29 QM_IDLE 0 1
aaa.bbb.107.96 z.29.214.98 QM_IDLE 0 1
aaa.bbb.107.96 z.206.185.20 QM_IDLE 0 1
aaa.bbb.107.96 z.119.155.42 QM_IDLE 0 1
Hope this will help with someting.
Thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: