Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

site to site VPN

I have this schema:

CompanyA CompanyB

inIP:192.168.2.0 192.168.1.0

exIP:aaa.bbb.107.96 xxx.yyy.97.34/28

I need to configure site tosite VPN between but something is wrong. I?ll appreciate any help.The vpn for remote users woks fine.Thanks

CompanyB:

access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.255.255.0

access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.6.0 255.255.255.0

access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

access-list CompanyC permit ip 192.168.1.0 255.255.255.0 192.168.10.0

255.255.255.0

access-list CompanyA permit ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.0

ip address outside xxx.yyy.97.34 255.255.255.240

ip address inside 192.168.1.5 255.255.255.0

ip local pool clientpool 192.168.6.210-192.168.6.220

global (outside) 1 xxx.yyy.97.43

nat (inside) 0 access-list bypassingnat

nat (inside) 1 172.16.100.0 255.255.255.0 0 0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.yyy.97.33 1

route inside 172.16.100.0 255.255.255.0 192.168.1.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set myset

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address CompanyC

crypto map newmap 20 set peer xxx.yyy.97.50

crypto map newmap 20 set transform-set myset

crypto map newmap 25 ipsec-isakmp

crypto map newmap 25 match address CompanyA

crypto map newmap 25 set peer aaa.bbb.107.96

crypto map newmap 25 set transform-set myset

crypto map newmap 30 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255

isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 14400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash md5

isakmp policy 15 group 2

isakmp policy 15 lifetime 14400

vpngroup CHerndon address-pool clientpool

?.

CompanyA:

access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0

255.255.255.0

access-list bypassingnat permit ip 192.168.2.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list bypassingnat permit ip 192.168.2.0 255.255.255.0

192.168.1.0 255.255.255.0

ip address outside aaa.bbb.107.96 255.255.252.0

ip address inside 192.168.2.2 255.255.255.0

ip local pool clientpool 10.1.1.10-10.1.1.36

global (outside) 1 aaa.bbb.107.103 netmask 255.255.255.0

nat (inside) 0 access-list bypassingnat

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

access-group out_inside in interface outside

access-group in_out in interface inside

route outside 0.0.0.0 0.0.0.0 aaa.bbb.104.1 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 20 set transform-set myset

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address CompanyB

crypto map newmap 10 set peer xxx.yyy.97.34

crypto map newmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

crypto map vpngroup client authentication TACACS+

isakmp enable outside

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup svinzant address-pool clientpool

?

4 REPLIES

Re: site to site VPN

Hi,

This is seen really often when having remote clients and site-to-site on the same machine.

Add the following keywords to the site-to-site keys:

isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255 no-xauth no-config-mode

That should do it.

Please rate if this helped.

Regards,

Daniel

New Member

Re: site to site VPN

I try this but unfortunately it doesn't help.

I we also have CompanyC connected with CompanyB with VPN and everythig is smooth between these two sites. The problem is just between A and B.

I'll post Company C config if this will help:

CompanyC:

access-list acl_outside permit icmp any any echo-reply

access-list acl_inside permit ip any any

access-list 101 permit ip 192.168.11.0 255.255.255.0 10.10.8.16

255.255.255.240

access-list 103 permit ip 192.168.10.0 255.255.255.0 10.10.8.32

255.255.255.240

access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.16

255.255.255.240

access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.32

255.255.255.240

access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.1.0

255.255.255.0

access-list CompanyB permit ip 192.168.10.0 255.255.255.0 192.168.1.0

255.255.255.0

ip address outside xxx.yyy.97.50 255.255.255.248

ip address inside 10.10.8.1 255.255.255.0

ip local pool eespool 10.10.8.17-10.10.8.30

ip local pool localpool 10.10.8.33-10.10.8.46

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

static (inside,outside) xxx.yyy.97.53 192.168.10.20 netmask

255.255.255.255 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 10.10.1.1 1

route inside 192.168.10.0 255.255.255.0 10.10.8.2 1

route inside 192.168.11.0 255.255.255.0 10.10.8.2 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set des esp-des esp-md5-hmac

crypto dynamic-map cisco 4 set transform-set des

crypto map partner-map 15 ipsec-isakmp

crypto map partner-map 15 match address CompanyB

crypto map partner-map 15 set peer xxx.yyy.97.34

crypto map partner-map 15 set transform-set myset

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 28800

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

vpngroup eeshome address-pool eespool

vpngroup eeshome dns-server 12.127.16.68

vpngroup eeshome wins-server 192.168.10.20

vpngroup eeshome default-domain CompanyB.com

vpngroup eeshome split-tunnel 101

vpngroup eeshome idle-time 1800

vpngroup eeshome password ********

Re: site to site VPN

Hi,

GOT IT :)

On Company A PIX add:

isakmp identity address

Please rate if this helped.

Regards,

Daniel

New Member

Re: site to site VPN

Daniel, thanks you trying to help.

I applied on CompanyA

isakmp identity address

but it doesn't work. Later I applied this command to Company B, but it doesnt work either. In meantime the VPN between CompB and CompC still works fine.

when I check CompanyA

>access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=7723)

The high hitcount shows that traffic is certainly getting from A to B

The same acl on B shows an increasing hitcounter

> access-list CompanyA line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=424)

But, there is no QM_IDLE SA except for remote clients.

CompanyA(config)# show crypto is sa

Total : 5

Embryonic : 0

dst src state pending created

aaa.bbb.107.96 z.91.123.251 QM_IDLE 0 3

aaa.bbb.107.96 z.50.251.29 QM_IDLE 0 1

aaa.bbb.107.96 z.29.214.98 QM_IDLE 0 1

aaa.bbb.107.96 z.206.185.20 QM_IDLE 0 1

aaa.bbb.107.96 z.119.155.42 QM_IDLE 0 1

Hope this will help with someting.

Thanks,

119
Views
0
Helpful
4
Replies
CreatePlease login to create content