cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
377
Views
3
Helpful
4
Replies

Hub and Spoke Site to Site VPN error

brianj
Level 1
Level 1

I have configured a site to site vpn using a hub and spoke topology with 4 sites. A tunnel is succesfully established between the hub and each of the hub sites individually. The problem is I receive the following error message when the second tunnel is established. IPSEC validate_transform_proposal):

peer address 24.x.x.114 not found.

It seems as though the tunnel establishes fine though.

Site A:

access-list 120 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 130 permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list 140 permit ip 10.0.1.0 255.255.255.0 10.0.4.0 255.255.255.0

access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0

access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list 100 permit ip 10.0.1.0 255.255.255.0 10.0.4.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map advtax 20 ipsec-isakmp

crypto map advtax 20 match address 120

crypto map advtax 20 set peer 70.178.bbb.bbb

crypto map advtax 20 set transform-set strong

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map advtax 30 ipsec-isakmp

crypto map advtax 30 match address 130

crypto map advtax 30 set peer 24.153.ccc.ccc

crypto map advtax 30 set transform-set strong

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map advtax 40 ipsec-isakmp

crypto map advtax 40 match address 140

crypto map advtax 40 set peer 24.153.ddd.ddd

crypto map advtax 40 set transform-set strong

crypto map advtax interface outside

isakmp enable outside

isakmp key xxxxx address 70.178.bbb.bbb netmask 255.255.255.255

isakmp key xxxxx address 24.153.ccc.ccc netmask 255.255.255.255

isakmp key xxxxx address 24.153.ddd.ddd netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

Site B:

access-list 110 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

access-list 100 permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0

nat (inside) 0 access-list 100

sysopt connection permit-ipsec

management-access inside

crypto ipsec transform-set strong esp-des esp-sha-hmac

crypto map advtax 10 ipsec-isakmp

crypto map advtax 10 match address 110

crypto map advtax 10 set peer 24.153.aaa.aaa

crypto map advtax 10 set transform-set strong

crypto map advtax interface outside

isakmp enable outside

isakmp key xxxxx address 24.153.aaa.aaa netmask 255.255.255.255

isakmp identity address

isakmp nat-traversal 20

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash sha

isakmp policy 8 group 1

isakmp policy 8 lifetime 86400

Sites C and D are the same as "B" with the exception of the access-lists.

Thanks,

Brian

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Brian

In your attempt to maintain security you have masked parts of the IP addresses. Unfortunately you have done this in an inconsistent way: In the error message you have included the first and fourth octets and masked the second and third. In the configuration excerpts you have given the first and second octets and masked the third and fourth.

This makes it very difficult to analyze what is going on. You need to find a way to give us better information. Also if you could be more specific about the error and about whether all of the tunnels do successfully communicate.

HTH

Rick

HTH

Rick

Rick,

Thanks for the reply. Sorry about the error in the initial post. I was able to work everything out. To be honest, this was the first multi site vpn I had configured and was doing so remotely. I learned that I was actually chasing my tail due to trying to test the tunnels from a ssh session from each pix. Testing certainly would have been easier from the central site inside network rather than remotely. Anyway, I was able to get the 4 site hub and spoke vpn configured and the main site configured to accept pptp sessions as well.

The only question that still remains is can I have a user establish a pptp session to site A (site A has been configured to accept and establish connections to the spoke sites, which tested successfully) and get to the spoke sites through that pptp session via site A?

If I understood what I last read correctly it should not be possible. It said this wasn't possible because the pix doesn't allow gre packets destined for a different network to exit an interface it originally received the packet on.

Could you shed some light on that?

Thanks for the help,

Brian

Brian

I am glad that you got it to work.

It is my understanding and my somewhat limited experience with PIX (most of my IPSec experience has been with the 3000 series concentrators and with IOS based routers) that the PIX will not allow packets that arrived on one tunnel to be sent back out another tunnel on the same physical interface. This is true through current versions of PIX code. I have heard some discussion that Cisco may change that is some future version of code.

For right now this restriction is one of the "features" of the PIX architecture.

HTH

Rick

HTH

Rick

Rick,

Thanks for the information and your time.

Brian