Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Two site-to-site tunnels and vpnclient access as well

I have 2 remote sites, 1 with a static ip and 1 with a dynamic ip, they connect to a central site which has a PIX 501. I was able to get 2 ipsec tunnels working fine for awhile but just now my client wants the ability to have workers use the vpnclient to connect to the PIX as well. The problem I'm having is after adding the vpngroup config my site with the dynamic ip can no longer connect. I had to use the current ip they have now and setup an aditional peer in the crypto map, but if that ip changes I have to go in and change the config.

Here is the relevant info in the config:

access-list ipsec permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list ipsec2 permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer <static_site>

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp

crypto map oadcmap 22 match address ipsec2

crypto map oadcmap 22 set peer <dynamic_site>

crypto map oadcmap 22 set transform-set oadcset

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

crypto map oadcmap interface outside

isakmp enable outside

isakmp key ******** address <static_site> netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address <dynamic_site> netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 2

isakmp policy 21 lifetime 28800

vpngroup oadcgroup address-pool oadcclient

vpngroup oadcgroup dns-server 192.168.100.3

vpngroup oadcgroup default-domain clientdomain.com

vpngroup oadcgroup idle-time 1800

vpngroup oadcgroup password ********

Any help is appreciated,

Ken

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Two site-to-site tunnels and vpnclient access as well

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap1 30 set transform-set oadcset

crypto dynamic-map oadcdynmap1 30 match address ipsec2

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

Try this and see if it helps. I have something similar on a router not sure if the PIX supports it. Worth a try though

8 REPLIES

Re: Two site-to-site tunnels and vpnclient access as well

Ken

Run debug crypto isakmp sa, debug crypto ipsec sa and see what the error messages are. these commands will help you a great deal in troubleshooting IPSEC tunnels..

Raj

Silver

Re: Two site-to-site tunnels and vpnclient access as well

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap1 30 set transform-set oadcset

crypto dynamic-map oadcdynmap1 30 match address ipsec2

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

Try this and see if it helps. I have something similar on a router not sure if the PIX supports it. Worth a try though

New Member

Re: Two site-to-site tunnels and vpnclient access as well

That looks pretty good attrgautam. I'll give it a try tonight when they are off. As far as the isakmp key i'll change it to:

isakmp ***** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Thanks

Silver

Re: Two site-to-site tunnels and vpnclient access as well

Asking out of curiousity did it work ? Honestly, I didnt expect it to

New Member

Re: Two site-to-site tunnels and vpnclient access as well

Hi,

No I just tried it tonight and it didn't work out. Seems like you can't have two dynamic maps. After I removed crypto map oadcmap 22 I then did the following:

(config)#crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

Invalid dynamic map tag specified

ERROR: Unable to initialized crypto map entry

Still looking for a solution though.

Thanks for your help, it looked good on paper.

Silver

Re: Two site-to-site tunnels and vpnclient access as well

crypto dynamic-map oadcdynmap1 30 set transform-set oadcset

crypto dynamic-map oadcdynmap1 30 match address ipsec2

Did u add these as well ?

New Member

Re: Two site-to-site tunnels and vpnclient access as well

No I tried adding the other line first. Maybe I'll try again but add those 2 lines first then the

#crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

next.

Thanks again for the help.

New Member

Re: Two site-to-site tunnels and vpnclient access as well

That did the trick, thanks attrgautam! Here is the relevant config info that worked:

access-list ipsec permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list ipsec2 permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto dynamic-map oadchope 30 match address ipsec2

crypto dynamic-map oadchope 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp dynamic oadchope

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

crypto map oadcmap interface outside

isakmp enable outside

isakmp key ******** address netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5isakmp policy 21 group 2

isakmp policy 21 lifetime 28800

vpngroup oadcgroup address-pool oadcclient

vpngroup oadcgroup dns-server 192.168.100.3

vpngroup oadcgroup default-domain mydomain.com

vpngroup oadcgroup split-tunnel nonat

vpngroup oadcgroup idle-time 1800

vpngroup oadcgroup password ********

This config allowed the site with the dynamic ip and the static ip connect as well as remote vpnclient users to create tunnels.

Thanks Again,

Ken

1156
Views
0
Helpful
8
Replies