05-17-2002 12:47 PM - edited 02-21-2020 11:45 AM
I have a working VPN tunnel between a remote site with a 1720 and at HQ with a 515 Pix. I am trying to establish another tunnel from another remote site with a 2620 to the same inteface on the Pix. I used the the config from the following URL as a base http://www.cisco.com/warp/public/110/pixhubspoke.html. I have been able to successfully create the tunnel from the new remote site by itself, but not both tunnels at the same time. I am running all the debug crypto commands on both the router and the Pix. It does not even look like it is trying to establish an ISAKMP sa. The only debug I have got from the 2620 at the remote site is CYRPTO_ENGINE key generation suspended and continued. Any ideas?
TIA,
RJ
05-23-2002 06:43 PM
Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen
If anyone else in the forum has some advice, please reply to this thread.
Thank you for posting.
05-29-2002 08:24 PM
On the 515 PIX you need a map set for each peer. That is not clear in the documentation. You can't just list peers. For example below are sets 34 and 136. I don't know the limit of sets but the documentation says we can have 2000 vpn tunnels.
crypto map WICmap 34 ipsec-isakmp
crypto map WICmap 34 match address ACL34
crypto map WICmap 34 set peer 1.2.3.4
crypto map WICmap 34 set transform-set WICTransform
crypto map WICmap 136 ipsec-isakmp
crypto map WICmap 136 match address ACL136
crypto map WICmap 136 set peer 1.3.4.2
crypto map WICmap 136 set transform-set WICTransform
05-30-2002 11:27 AM
Thanks for your reply. My problem with my config is that I was using the same access-list for both destination tunnels in both sequences of my crypto map. Because I was using the same access-list for inbound traffic from both sites on the Pix, I thought you had to use the same access-list for outgoing traffic from the Pix. As an example I created a supernet on the Pix:
Central Pix = access-list Pix 192.168.0.0 255.255.252.0
Router A = access-list A 192.168.1.0 255.255.255.0
Router B = access-list B 192.168.2.0 255.255.255.0
So the subnet on the access-list on the Pix would cover both subnets on the remote routers. That will not work so I changed to 2 different access-list on the Pix.
Thanks,
RJ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide