PIX501 configure a second tunnel to new peer.

Chris McCann · ‎01-07-2014

I am a bit of a novice on these devices but can anyone help, I need to create a second tunnel using the same policy settings, the policy 20 is the current settings. How would I go about doing this, so far I have created most of the policy 21. This second tunnel is for a different peer.

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer aaa.aaa.aaa.aaa

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21

crypto map outside_map 21 set peer bbb.bbb.bbb.bbb

crypto map outside_map 21 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

and would like to add

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption aes-256

isakmp policy 21 hash sha

isakmp policy 21 group 2

isakmp policy 21 lifetime 28800

I have made an assumption that the policy numbers are referrences to the two different tunnels I wish to use.

many thanks,

C.

Jouni Forss · ‎01-07-2014

Hi,

In both the "crypto map" and "isakmp policy" configurations the number listed in the command simply refers to a sequence/order/priority number.

So for example when VPN negotiation initiates the ones with the lower numeric value will get matched first until the correct match is found.

The numeric value in the "crypto map" and "isakmp policy" dont have anything to do with eachother.

Because of this if your new L2L VPN connections uses the same paramaters for Phase 1 then you wont have to add another ISAKMP Policy as the one required already exists. ISAKMP Policys configured on your firewall cant be attached to a certain VPN connection. Every one of your ISAKMP Policys are compared/matched against the remote VPN devices policys during the negotiation and then the match is found.

So simply dont configure the "isakmp policy 21" since its not needed

Hope this clarifies things

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed

- Jouni

Chris McCann · ‎01-07-2014

Thanks Jouni,

So my correct config would be something like

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20 (list of interesting traffic)

crypto map outside_map 20 set peer aaa.aaa.aaa.aaa

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

and my new connection (to be tried second as it has lower priority, or is that just on phase 1)

crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21 (list of interesting traffic)

crypto map outside_map 21 set peer bbb.bbb.bbb.bbb

crypto map outside_map 21 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

many thanks,

C.

Jouni Forss · ‎01-07-2014

Hi,

Yes, that looks about right.

The "crypto map" lines for different L2L VPN connections will always have their own number.

You only need additional "isakmp policy" configurations when you actually need to have different values for the Phase 1 negotiations. For example if you wanted to use 3DES/MD5 for the other connection then you would need policy for that.

- Jouni

Chris McCann · ‎01-07-2014

Hi Jouni,

Its partially working now. However I have a problem that the 'interesting traffic' for my original tunnel is bringing up the new VPN connection. I have checked my accesslists and it all looks good. Is the sequence number that is set on the crypto map outside_map going to be a problem if they are so close ?

Current config is

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20 (interesting traffice definately correct)

crypto map outside_map 20 set peer aaa.aaa.aaa.aaa

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 21 ipsec-isakmp

crypto map outside_map 21 match address outside_cryptomap_21 (interesting traffice definately correct)

crypto map outside_map 21 set peer bbb.bbb.bbb.bbb

crypto map outside_map 21 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address aaa.aaa.aaa.aaa netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address bbb.bbb.bbb.bbb netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes-256

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 28800

any advice greatly appreciated.

C.

Jouni Forss · ‎01-07-2014

Hi,

If you generate traffic from your end then it will only match one section of the Crypto Map and should have not have anything to do with the new connections configurations. Only if your traffic doesnt match the lower numeric value entry in the Crypto Map will it be matched again the next entry.

If it has already mathced the "crypto map outside_map 20" then it wont match the "crypto map outside_map 21"

Are you sure that the remote device is not bringing up the VPN tunnel.

As I dont know your NAT/ACL configurations related to these L2L VPN connections its hard for me to say if there is anything special with the situation.

The numeric value in the "crypto map" configurations shouldnt really matter since the traffic should only match single configuration in the "crypto map". Usually the main thing is that all the L2L VPN "crypto map" configurations are of lower numeric value compared to the dynamic entries meant for VPN Client in the "crypto map" which should be last.

- Jouni

Jouni Forss · ‎01-07-2014

Hi,

Were you able to get your new L2L VPN connection working proprely with the new one? Is there any problems with the VPNs still?

- Jouni

Chris McCann · ‎01-08-2014

Hi Jouni,

I think the remote site may be bringing the tunnel up (I am getting lots of debug crypto isakmp traffic without sending interesting traffic). I am getting this for both the old tunnel and the new tunnel which I assume wouldn't of been a problem when there was only a single tunnel.

I am talking to my contact at the other end and getting them to check their configuration to find out if this is the case.

I take it without interesting traffic from my end there should be no debug crypto isakmp traffic, is that correct or is there a keepalive type scenario that could be trying to keep the tunnels alive ?

many thanks, you have been most helpful, hope to get it fixed today

C.