Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2008
Views
0
Helpful
8
Replies

Two site-to-site tunnels and vpnclient access as well

Go to solution
kkayes
Level 1
Level 1

‎01-12-2006 01:24 PM

I have 2 remote sites, 1 with a static ip and 1 with a dynamic ip, they connect to a central site which has a PIX 501. I was able to get 2 ipsec tunnels working fine for awhile but just now my client wants the ability to have workers use the vpnclient to connect to the PIX as well. The problem I'm having is after adding the vpngroup config my site with the dynamic ip can no longer connect. I had to use the current ip they have now and setup an aditional peer in the crypto map, but if that ip changes I have to go in and change the config.

Here is the relevant info in the config:

access-list ipsec permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list ipsec2 permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer <static_site>

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp

crypto map oadcmap 22 match address ipsec2

crypto map oadcmap 22 set peer <dynamic_site>

crypto map oadcmap 22 set transform-set oadcset

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

crypto map oadcmap interface outside

isakmp enable outside

isakmp key ******** address <static_site> netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address <dynamic_site> netmask 255.255.255.255 no-xauth no-config-mode

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5

isakmp policy 21 group 2

isakmp policy 21 lifetime 28800

vpngroup oadcgroup address-pool oadcclient

vpngroup oadcgroup dns-server 192.168.100.3

vpngroup oadcgroup default-domain clientdomain.com

vpngroup oadcgroup idle-time 1800

vpngroup oadcgroup password ********

Any help is appreciated,

Ken

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
attrgautam
Level 5
Level 5

‎01-13-2006 07:28 AM

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap1 30 set transform-set oadcset

crypto dynamic-map oadcdynmap1 30 match address ipsec2

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

Try this and see if it helps. I have something similar on a router not sure if the PIX supports it. Worth a try though

View solution in original post

0 Helpful
8 Replies 8

Go to solution
sachinraja
Level 9
Level 9

‎01-13-2006 06:57 AM

Ken

Run debug crypto isakmp sa, debug crypto ipsec sa and see what the error messages are. these commands will help you a great deal in troubleshooting IPSEC tunnels..

Raj

0 Helpful

Go to solution
attrgautam
Level 5
Level 5

‎01-13-2006 07:28 AM

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap1 30 set transform-set oadcset

crypto dynamic-map oadcdynmap1 30 match address ipsec2

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

Try this and see if it helps. I have something similar on a router not sure if the PIX supports it. Worth a try though

0 Helpful

Go to solution
kkayes
Level 1
Level 1
In response to attrgautam

‎01-13-2006 08:45 AM

That looks pretty good attrgautam. I'll give it a try tonight when they are off. As far as the isakmp key i'll change it to:

isakmp ***** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Thanks

0 Helpful

Go to solution
attrgautam
Level 5
Level 5
In response to kkayes

‎01-16-2006 06:41 AM

Asking out of curiousity did it work ? Honestly, I didnt expect it to

0 Helpful

Go to solution
kkayes
Level 1
Level 1
In response to attrgautam

‎01-16-2006 04:43 PM

Hi,

No I just tried it tonight and it didn't work out. Seems like you can't have two dynamic maps. After I removed crypto map oadcmap 22 I then did the following:

(config)#crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

Invalid dynamic map tag specified

ERROR: Unable to initialized crypto map entry

Still looking for a solution though.

Thanks for your help, it looked good on paper.

0 Helpful

Go to solution
attrgautam
Level 5
Level 5
In response to kkayes

‎01-16-2006 10:29 PM

crypto dynamic-map oadcdynmap1 30 set transform-set oadcset

crypto dynamic-map oadcdynmap1 30 match address ipsec2

Did u add these as well ?

0 Helpful

Go to solution
kkayes
Level 1
Level 1
In response to attrgautam

‎01-17-2006 07:55 AM

No I tried adding the other line first. Maybe I'll try again but add those 2 lines first then the

#crypto map oadcmap 22 ipsec-isakmp dynamic oadcdynmap1

next.

Thanks again for the help.

0 Helpful

Go to solution
kkayes
Level 1
Level 1
In response to kkayes

‎01-18-2006 06:47 AM

That did the trick, thanks attrgautam! Here is the relevant config info that worked:

access-list ipsec permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

access-list nonat permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.0

access-list ipsec2 permit ip 192.168.100.0 255.255.255.0 192.168.125.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set oadcset esp-des esp-md5-hmac

crypto dynamic-map oadcdynmap 30 set transform-set oadcset

crypto dynamic-map oadchope 30 match address ipsec2

crypto dynamic-map oadchope 30 set transform-set oadcset

crypto map oadcmap 21 ipsec-isakmp

crypto map oadcmap 21 match address ipsec

crypto map oadcmap 21 set peer

crypto map oadcmap 21 set transform-set oadcset

crypto map oadcmap 22 ipsec-isakmp dynamic oadchope

crypto map oadcmap 25 ipsec-isakmp dynamic oadcdynmap

crypto map oadcmap interface outside

isakmp enable outside

isakmp key ******** address netmask 255.255.255.255 no-xauth no-config-mode

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

isakmp identity address

isakmp policy 21 authentication pre-share

isakmp policy 21 encryption des

isakmp policy 21 hash md5isakmp policy 21 group 2

isakmp policy 21 lifetime 28800

vpngroup oadcgroup address-pool oadcclient

vpngroup oadcgroup dns-server 192.168.100.3

vpngroup oadcgroup default-domain mydomain.com

vpngroup oadcgroup split-tunnel nonat

vpngroup oadcgroup idle-time 1800

vpngroup oadcgroup password ********

This config allowed the site with the dynamic ip and the static ip connect as well as remote vpnclient users to create tunnels.

Thanks Again,

Ken

0 Helpful
Customers Also Viewed These Support Documents