10-15-2013 06:15 AM
i have already configured site to multi Site VPN in my packet tracer and always only 1 site can connect successfully and the other site cannot continue here is the result from isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
212.76.68.1 172.21.6.1 MM_SA_SETUP 0 0 ACTIVE
109.63.62.1 172.21.6.1 QM_IDLE 1050 0 ACTIVE
>>>>> configuration of may Main Offic Router
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Router
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
!
crypto isakmp key cisco address 79.95.25.1
crypto isakmp key cisco address 109.63.62.1
crypto isakmp key cisco address 212.76.68.1
!
!
crypto ipsec transform-set VPN_Trans esp-aes esp-sha-hmac
!
crypto map VPN_Map 1 ipsec-isakmp
set peer 79.95.25.1
set peer 212.76.68.1
set peer 109.63.62.1
set transform-set VPN_Trans
match address NAT_Group
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 172.20.21.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.21.6.1 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map VPN_Map
!
interface Vlan1
no ip address
shutdown
!
router rip
!
ip nat inside source list NAT1 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip access-list extended NAT_Group
permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255
permit ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended NAT1
deny ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255
deny ip 172.20.21.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended NAT
permit ip 172.20.21.0 0.0.0.255 10.72.139.0 0.0.0.255
ip access-list extended NAT2
permit ip 172.20.21.0 0.0.0.255 192.168.0.0 0.0.0.255
!
no cdp run
!
!
!
!
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
!
!
end
10-15-2013 09:19 AM
when you have multiple peers in the same crypto map, they act as backups for each other; if one answers and establishes an SA, the router doesn't try the others...
each site-to-site should have its own crypto map entry :
crypto map VPN_Map 1 ipsec-isakmp
crypto map VPN_Map 2 ipsec-isakmp...
Patrick
10-15-2013 08:30 PM
Dear Mr. Patrick,
thank you for your reply.
so you advises for the Core Office i must have separate crypto map for each site? like this sample below?
crypto map VPN_Map 1 ipsec-isakmp
set peer 79.95.25.1
set transform-set VPN_Trans
match address NAT_Group
crypto map VPN_Map 2 ipsec-isakmp
set peer 212.76.68.1
set transform-set VPN_Trans
match address NAT_Group
crypto map VPN_Map 3 ipsec-isakmp
set peer 109.63.62.1
set transform-set VPN_Trans
match address NAT_Group
10-16-2013 06:56 AM
same crypto map different entries, yes.
you can only apply 1 crypto map per interface...
you need a different access-list for each entry also.
example core = 10.1.1.0/24
site 1 = 10.1.31.0/24
site 2 = 10.1.32.0/24
acl VPN1 permit 10.1.1.0/24 10.1.31.0/24 applied to corresponding map entry
acl VPN2 permit 10.1.1.0/24 10.1.32.0/24 applied to the other map entry...
Patrick
10-16-2013 06:59 AM
okay i will create separate ACL for each mp...but my only problem is i am only using 1 interface for WAN in may core office....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide