mesh vpn

cfajardo1_2 · ‎05-29-2006

i have an existing 3 sites VPN using pix firewall.

A - Hub

B and C - are spokes

All 3 sites (A, B, C) have public IPs.

Present scenario - B and C could tunnel to A.

Now, the customer wanted B to communicate with C and vice versa.

Ive tried creating a tunnel directly from B to C but it fails, and look like theres a looping going on. I could see on the SH IPSEC SA on B that the ipsec peer is changing between the public IP of A and C.

Any suggestion how to achieve my customers goal?

Thanks.

Fernando_Meza · ‎05-29-2006

Yes .. this is definetely possible but you need to make the access-list applied to the crypto maps are not overlapping ... In other words make sure that the IPsec tunnel from spoke one to hub DOES not also include the IP addresses that belong to spoke 2.

So you will need one crypto map with 2 policy numbers ( one to the hub, the other one to the spoke 2) ..

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer

crypto map outside_map 20 set transform-set AWU_Transform

crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 match address outside_cryptomap_40

crypto map outside_map 40 set pfs group2

crypto map outside_map 40 set peer

crypto map outside_map 40 set transform-set AWU_Transform

The outside_cryptomap_20 and outside_cryptomap_40 define the traffic to be encrypted and the peer to use.

I hope it helps ... please rate it if it does !!!