cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
397
Views
0
Helpful
3
Replies

2 VPN tunnels to a Central Pix

r-remien
Level 1
Level 1

I have a working VPN tunnel between a remote site with a 1720 and at HQ with a 515 Pix. I am trying to establish another tunnel from another remote site with a 2620 to the same inteface on the Pix. I used the the config from the following URL as a base http://www.cisco.com/warp/public/110/pixhubspoke.html. I have been able to successfully create the tunnel from the new remote site by itself, but not both tunnels at the same time. I am running all the debug crypto commands on both the router and the Pix. It does not even look like it is trying to establish an ISAKMP sa. The only debug I have got from the 2620 at the remote site is CYRPTO_ENGINE key generation suspended and continued. Any ideas?

TIA,

RJ

3 Replies 3

ciscomoderator
Community Manager
Community Manager

Since there has been no response to your post, it appears to be either too complex or too rare an issue for other forum members to assist you. If you don't get a suitable response to your post, you may wish to review our resources at the online Technical Assistance Center (http://www.cisco.com/tac) or speak with a TAC engineer. You can open a TAC case online at http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

wiccisco
Level 1
Level 1

On the 515 PIX you need a map set for each peer. That is not clear in the documentation. You can't just list peers. For example below are sets 34 and 136. I don't know the limit of sets but the documentation says we can have 2000 vpn tunnels.

crypto map WICmap 34 ipsec-isakmp

crypto map WICmap 34 match address ACL34

crypto map WICmap 34 set peer 1.2.3.4

crypto map WICmap 34 set transform-set WICTransform

crypto map WICmap 136 ipsec-isakmp

crypto map WICmap 136 match address ACL136

crypto map WICmap 136 set peer 1.3.4.2

crypto map WICmap 136 set transform-set WICTransform

Thanks for your reply. My problem with my config is that I was using the same access-list for both destination tunnels in both sequences of my crypto map. Because I was using the same access-list for inbound traffic from both sites on the Pix, I thought you had to use the same access-list for outgoing traffic from the Pix. As an example I created a supernet on the Pix:

Central Pix = access-list Pix 192.168.0.0 255.255.252.0

Router A = access-list A 192.168.1.0 255.255.255.0

Router B = access-list B 192.168.2.0 255.255.255.0

So the subnet on the access-list on the Pix would cover both subnets on the remote routers. That will not work so I changed to 2 different access-list on the Pix.

Thanks,

RJ