Re: two tunnel ipsec

lformelli · ‎01-26-2007

Hi,

I have in my enterprise two offices which are connected through a tunnel IPSec (VPN) configured with PIX 501 on each site.

Now I have to deploy another office and

I need of connect it to one of either sites existing.

Can I configure on PIX 501 another tunnel IPSec ?

Does somebody tell me an a document about ?

Best regards

Lorenzo

Jon Marshall · ‎01-27-2007

Lorenzo

Yes you can a second IPSEC tunnel. To do this you need to

Pix1 is existing site.

Pix2 is new site.

1) Add a new key on both Pix1 and Pix2.

2) You won't need any more iskamp settings on Pix1 as long as you are using the same settings.

3) On Pix1 you presumably have a crypto map setup already. So you need to add another entry for the crypto map. You can only have one crypto map so for example if you have on Pix1

crypto map vpn-set 10 ipsec-isakmp

crypto map vpn-set 10 match address existingsite

crypto map vpn-set 10 set pfs group2

crypto map vpn-set 10 set peer x.x.x.x

crypto map vpn-set 10 set transform-set ESP-3DES-SHA

crypto map vpn-set 10 set security-association lifetime seconds 3600 kilobytes 4608000

you would then simply add another sequence number to the crypto map

crypto map vpn-set 20 ipsec-isakmp

crypto map vpn-set 20 match address newsite

crypto map vpn-set 20 set pfs group2

crypto map vpn-set 20 set peer x.x.x.x

crypto map vpn-set 20 set transform-set ESP-3DES-SHA

crypto map vpn-set 20 set security-association lifetime seconds 3600 kilobytes 4608000

The crypto map sequence numbers are only relevant on each pix so you don't have to match sequence numbers across firewalls.

4) On Pix2 setup crypto map.

HTH

Jon

5220 · ‎01-27-2007

Hi Lorenzo,

Check:

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080093bd3.shtml

Please rate if this helped.

Regards,

Daniel