01-07-2014 07:06 AM - edited 03-11-2019 08:25 PM
I am a bit of a novice on these devices but can anyone help, I need to create a second tunnel using the same policy settings, the policy 20 is the current settings. How would I go about doing this, so far I have created most of the policy 21. This second tunnel is for a different peer.
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer aaa.aaa.aaa.aaa
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21
crypto map outside_map 21 set peer bbb.bbb.bbb.bbb
crypto map outside_map 21 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
and would like to add
isakmp policy 21 authentication pre-share
isakmp policy 21 encryption aes-256
isakmp policy 21 hash sha
isakmp policy 21 group 2
isakmp policy 21 lifetime 28800
I have made an assumption that the policy numbers are referrences to the two different tunnels I wish to use.
many thanks,
C.
01-07-2014 07:13 AM
Hi,
In both the "crypto map" and "isakmp policy" configurations the number listed in the command simply refers to a sequence/order/priority number.
So for example when VPN negotiation initiates the ones with the lower numeric value will get matched first until the correct match is found.
The numeric value in the "crypto map" and "isakmp policy" dont have anything to do with eachother.
Because of this if your new L2L VPN connections uses the same paramaters for Phase 1 then you wont have to add another ISAKMP Policy as the one required already exists. ISAKMP Policys configured on your firewall cant be attached to a certain VPN connection. Every one of your ISAKMP Policys are compared/matched against the remote VPN devices policys during the negotiation and then the match is found.
So simply dont configure the "isakmp policy 21" since its not needed
Hope this clarifies things
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed
- Jouni
01-07-2014 07:38 AM
Thanks Jouni,
So my correct config would be something like
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20 (list of interesting traffic)
crypto map outside_map 20 set peer aaa.aaa.aaa.aaa
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
and my new connection (to be tried second as it has lower priority, or is that just on phase 1)
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21 (list of interesting traffic)
crypto map outside_map 21 set peer bbb.bbb.bbb.bbb
crypto map outside_map 21 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
many thanks,
C.
01-07-2014 07:43 AM
Hi,
Yes, that looks about right.
The "crypto map" lines for different L2L VPN connections will always have their own number.
You only need additional "isakmp policy" configurations when you actually need to have different values for the Phase 1 negotiations. For example if you wanted to use 3DES/MD5 for the other connection then you would need policy for that.
- Jouni
01-07-2014 08:41 AM
Hi Jouni,
Its partially working now. However I have a problem that the 'interesting traffic' for my original tunnel is bringing up the new VPN connection. I have checked my accesslists and it all looks good. Is the sequence number that is set on the crypto map outside_map going to be a problem if they are so close ?
Current config is
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20 (interesting traffice definately correct)
crypto map outside_map 20 set peer aaa.aaa.aaa.aaa
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21 (interesting traffice definately correct)
crypto map outside_map 21 set peer bbb.bbb.bbb.bbb
crypto map outside_map 21 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
any advice greatly appreciated.
C.
01-07-2014 08:53 AM
Hi,
If you generate traffic from your end then it will only match one section of the Crypto Map and should have not have anything to do with the new connections configurations. Only if your traffic doesnt match the lower numeric value entry in the Crypto Map will it be matched again the next entry.
If it has already mathced the "crypto map outside_map 20" then it wont match the "crypto map outside_map 21"
Are you sure that the remote device is not bringing up the VPN tunnel.
As I dont know your NAT/ACL configurations related to these L2L VPN connections its hard for me to say if there is anything special with the situation.
The numeric value in the "crypto map" configurations shouldnt really matter since the traffic should only match single configuration in the "crypto map". Usually the main thing is that all the L2L VPN "crypto map" configurations are of lower numeric value compared to the dynamic entries meant for VPN Client in the "crypto map" which should be last.
- Jouni
01-07-2014 11:44 PM
Hi,
Were you able to get your new L2L VPN connection working proprely with the new one? Is there any problems with the VPNs still?
- Jouni
01-08-2014 01:38 AM
Hi Jouni,
I think the remote site may be bringing the tunnel up (I am getting lots of debug crypto isakmp traffic without sending interesting traffic). I am getting this for both the old tunnel and the new tunnel which I assume wouldn't of been a problem when there was only a single tunnel.
I am talking to my contact at the other end and getting them to check their configuration to find out if this is the case.
I take it without interesting traffic from my end there should be no debug crypto isakmp traffic, is that correct or is there a keepalive type scenario that could be trying to keep the tunnels alive ?
many thanks, you have been most helpful, hope to get it fixed today
C.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide