site to site VPN - Cisco Community

417

Views

0

Helpful

4

Replies

I have this schema:

CompanyA CompanyB

inIP:192.168.2.0 192.168.1.0

exIP:aaa.bbb.107.96 xxx.yyy.97.34/28

I need to configure site tosite VPN between but something is wrong. I?ll appreciate any help.The vpn for remote users woks fine.Thanks

CompanyB:

access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.10.0 255.255.255.0

access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.6.0 255.255.255.0

access-list bypassingnat permit ip 192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

access-list CompanyC permit ip 192.168.1.0 255.255.255.0 192.168.10.0

255.255.255.0

access-list CompanyA permit ip 192.168.1.0 255.255.255.0 192.168.2.0

255.255.255.0

ip address outside xxx.yyy.97.34 255.255.255.240

ip address inside 192.168.1.5 255.255.255.0

ip local pool clientpool 192.168.6.210-192.168.6.220

global (outside) 1 xxx.yyy.97.43

nat (inside) 0 access-list bypassingnat

nat (inside) 1 172.16.100.0 255.255.255.0 0 0

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

access-group out_in in interface outside

route outside 0.0.0.0 0.0.0.0 xxx.yyy.97.33 1

route inside 172.16.100.0 255.255.255.0 192.168.1.1 1

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 30 set transform-set myset

crypto map newmap 20 ipsec-isakmp

crypto map newmap 20 match address CompanyC

crypto map newmap 20 set peer xxx.yyy.97.50

crypto map newmap 20 set transform-set myset

crypto map newmap 25 ipsec-isakmp

crypto map newmap 25 match address CompanyA

crypto map newmap 25 set peer aaa.bbb.107.96

crypto map newmap 25 set transform-set myset

crypto map newmap 30 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

isakmp enable outside

isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255

isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 1

isakmp policy 10 lifetime 14400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash md5

isakmp policy 15 group 2

isakmp policy 15 lifetime 14400

vpngroup CHerndon address-pool clientpool

?.

CompanyA:

access-list vpnacl permit ip 192.168.2.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0

255.255.255.0

access-list bypassingnat permit ip 192.168.2.0 255.255.255.0 10.1.1.0

255.255.255.0

access-list bypassingnat permit ip 192.168.2.0 255.255.255.0

192.168.1.0 255.255.255.0

ip address outside aaa.bbb.107.96 255.255.252.0

ip address inside 192.168.2.2 255.255.255.0

ip local pool clientpool 10.1.1.10-10.1.1.36

global (outside) 1 aaa.bbb.107.103 netmask 255.255.255.0

nat (inside) 0 access-list bypassingnat

nat (inside) 1 192.168.2.0 255.255.255.0 0 0

access-group out_inside in interface outside

access-group in_out in interface inside

route outside 0.0.0.0 0.0.0.0 aaa.bbb.104.1 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 20 set transform-set myset

crypto map newmap 10 ipsec-isakmp

crypto map newmap 10 match address CompanyB

crypto map newmap 10 set peer xxx.yyy.97.34

crypto map newmap 10 set transform-set myset

crypto map newmap 20 ipsec-isakmp dynamic dynmap

crypto map newmap interface outside

crypto map vpngroup client authentication TACACS+

isakmp enable outside

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

vpngroup svinzant address-pool clientpool

?

4 Replies 4

Hi,

This is seen really often when having remote clients and site-to-site on the same machine.

Add the following keywords to the site-to-site keys:

isakmp key ******** address xxx.yyy.97.50 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address aaa.bbb.107.96 netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255 no-xauth no-config-mode

That should do it.

Please rate if this helped.

Regards,

Daniel

I try this but unfortunately it doesn't help.

I we also have CompanyC connected with CompanyB with VPN and everythig is smooth between these two sites. The problem is just between A and B.

I'll post Company C config if this will help:

CompanyC:

access-list acl_outside permit icmp any any echo-reply

access-list acl_inside permit ip any any

access-list 101 permit ip 192.168.11.0 255.255.255.0 10.10.8.16

255.255.255.240

access-list 103 permit ip 192.168.10.0 255.255.255.0 10.10.8.32

255.255.255.240

access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.16

255.255.255.240

access-list 100 permit ip 192.168.0.0 255.255.0.0 10.10.8.32

255.255.255.240

access-list 100 permit ip 192.168.10.0 255.255.255.0 192.168.1.0

255.255.255.0

access-list CompanyB permit ip 192.168.10.0 255.255.255.0 192.168.1.0

255.255.255.0

ip address outside xxx.yyy.97.50 255.255.255.248

ip address inside 10.10.8.1 255.255.255.0

ip local pool eespool 10.10.8.17-10.10.8.30

ip local pool localpool 10.10.8.33-10.10.8.46

global (outside) 1 interface

nat (inside) 0 access-list 100

nat (inside) 1 192.168.10.0 255.255.255.0 0 0

nat (inside) 1 192.168.11.0 255.255.255.0 0 0

static (inside,outside) xxx.yyy.97.53 192.168.10.20 netmask

255.255.255.255 0 0

access-group acl_outside in interface outside

access-group acl_inside in interface inside

conduit permit icmp any any

route outside 0.0.0.0 0.0.0.0 10.10.1.1 1

route inside 192.168.10.0 255.255.255.0 10.10.8.2 1

route inside 192.168.11.0 255.255.255.0 10.10.8.2 1

sysopt connection permit-ipsec

no sysopt route dnat

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto ipsec transform-set des esp-des esp-md5-hmac

crypto dynamic-map cisco 4 set transform-set des

crypto map partner-map 15 ipsec-isakmp

crypto map partner-map 15 match address CompanyB

crypto map partner-map 15 set peer xxx.yyy.97.34

crypto map partner-map 15 set transform-set myset

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp key ******** address xxx.yyy.97.34 netmask 255.255.255.255

isakmp identity address

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 28800

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 28800

vpngroup eeshome address-pool eespool

vpngroup eeshome dns-server 12.127.16.68

vpngroup eeshome wins-server 192.168.10.20

vpngroup eeshome default-domain CompanyB.com

vpngroup eeshome split-tunnel 101

vpngroup eeshome idle-time 1800

vpngroup eeshome password ********

Hi,

GOT IT :)

On Company A PIX add:

isakmp identity address

Please rate if this helped.

Regards,

Daniel

Daniel, thanks you trying to help.

I applied on CompanyA

isakmp identity address

but it doesn't work. Later I applied this command to Company B, but it doesnt work either. In meantime the VPN between CompB and CompC still works fine.

when I check CompanyA

>access-list CompanyB permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=7723)

The high hitcount shows that traffic is certainly getting from A to B

The same acl on B shows an increasing hitcounter

> access-list CompanyA line 1 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=424)

But, there is no QM_IDLE SA except for remote clients.

CompanyA(config)# show crypto is sa

Total : 5

Embryonic : 0

dst src state pending created

aaa.bbb.107.96 z.91.123.251 QM_IDLE 0 3

aaa.bbb.107.96 z.50.251.29 QM_IDLE 0 1

aaa.bbb.107.96 z.29.214.98 QM_IDLE 0 1

aaa.bbb.107.96 z.206.185.20 QM_IDLE 0 1

aaa.bbb.107.96 z.119.155.42 QM_IDLE 0 1

Hope this will help with someting.

Thanks,

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community