Route aggregation

pbrown · ‎11-13-2002

I'm setting up a PIX to IOS IPSec VPN. The PIX is on the corporat side and there are several remote networks connected via private lines behind the PIX. The VPN works fine when using 24 bit access lists. If I try to aggregate all of the corp side networks, the tunnel breaks. Is there a fix?

======= WORKING CONFIG =========

crypto map pix 10 ipsec-isakmp

set peer x.x.x.x

set transform-set pix-set

match address 101

!

access-list 101 permit ip 172.25.10.0 0.0.0.255 172.17.10.0 0.0.0.255

!

======= NON-WORKING CONFIG =========

crypto map pix 10 ipsec-isakmp

set peer x.x.x.x

set transform-set pix-set

match address 101

!

access-list 101 permit ip 172.25.10.0 0.0.0.255 172.16.0.0 0.15.255.255

!

Thanks,

Patrick Brown

gfullage · ‎11-18-2002

Do you change the access-list on the PIX to be the exact opposite of this at the same time? Do you remove the crypto map off the interface BEFORE changing the access-list, otherwise all traffic will lock up on this device? Do you clear the SA's on both sides?

There shouldn't be any issue with this, as long as the ACL matches on both ends. What do you mean by "the tunnel breaks" exactly?