Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
3
Replies

Branch-to-branch VPN

ddidpm506
Level 1
Level 1

‎05-24-2007 06:45 AM

I'm trying to set up a branch office VPN. I'm using a PIX-506e, my peer is a PIX-515. I've attached my (sanitized) configuration, and there's an equivalent one in the 515.

Network setup:

BO1 Inside: 192.168.0.0

BO2 Inside: 130.45.14.0

We cannot establish a Security Association. We can, of course, ping each other's outside addresses.

Two initial questions:

1. Can someone see anything obviously wrong?

2. The command "clear isakmp sa" breaks any existing sas; is there a command that forces one PIX to attempt to form a SA with its peer?

Thanks in advance,

dpm

Labels:
Preview file
1 KB
0 Helpful
3 Replies 3

acomiskey
Level 10
Level 10

‎05-24-2007 08:19 AM

First of all you do not need to have both of these statements in one pix.

Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

You should have the first in B02 and the next in B01.

It is also recommended and good form to use separate acl's to define this traffic and the traffic defined by your nat (inside) 0 statement, even though it is the same. So I would change it to

B02

Nat (inside) 0 access-list cleanVPN_nat0

Access-list cleanVPN permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Access-list cleanVPN_nat0 permit ip 130.45.14.0 255.255.255.0 192.168.0.0 255.255.255.0

Crypto map cleanVPNmap 88 match address cleanVPN

B01

Nat (inside) 0 access-list cleanVPN_nat0

Access-list cleanVPN permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

Access-list cleanVPN_nat0 permit ip 192.168.0.0 255.255.255.0 130.45.14.0 255.255.255.0

Crypto map cleanVPNmap 88 match address cleanVPN

Let me know how that goes.

0 Helpful

ddidpm506
Level 1
Level 1
In response to acomiskey

‎05-24-2007 09:07 AM

Thanks, I appreciate your help.

One question though: I think my problem is that the PIXs are/can not form a SA. I can see how the change you suggested would affect routing traffic through the tunnel once formed, but my problem is that I can't get a tunnel formed at all.

Is there a command to force one PIX to form a SA with a peer?

Thanks,

Dean

0 Helpful

acomiskey
Level 10
Level 10
In response to ddidpm506

‎05-24-2007 09:15 AM

No, you must initiate traffic which matches the traffic defined in your crypto acl's.

try this and ensure it is the same on both ends...

no isakmp identity hostname

isakmp identity address

0 Helpful
Customers Also Viewed These Support Documents