sasecool
asked on
multiple pix vpn's
So.. In order to have multiple tunnels I normally just set up a crypto map mapname ... all the necessary statements.. and for each tunnel on the map, I add a 10, 20, 30 or whatever...
The problem is that whenever I add a new tunnel, in the process of doing so, the firewall locks out (i'm going in through ssh).. the only way I can remedy this problem is by shutting down all the tunnels, adding the full tunnel, and then going ahead with it.
Why is this happening? it seems retarded that I would have to shut everything down this way...
My question is.. could it be because I need to put my crypto map mapname 20 match address access-list ... first?
the last time this happened was when I was adding an the first statement for the additional tunnel.. crypto map mapname 20 ipsec-isakmp... is it just negotiating everything as a tunnel and that's what is f'ing it up?
Can I just change the order of my commands? do I have to create a brand new crypto map every time.. or what do I do to eliminate downtime?
thanks.
The problem is that whenever I add a new tunnel, in the process of doing so, the firewall locks out (i'm going in through ssh).. the only way I can remedy this problem is by shutting down all the tunnels, adding the full tunnel, and then going ahead with it.
Why is this happening? it seems retarded that I would have to shut everything down this way...
My question is.. could it be because I need to put my crypto map mapname 20 match address access-list ... first?
the last time this happened was when I was adding an the first statement for the additional tunnel.. crypto map mapname 20 ipsec-isakmp... is it just negotiating everything as a tunnel and that's what is f'ing it up?
Can I just change the order of my commands? do I have to create a brand new crypto map every time.. or what do I do to eliminate downtime?
thanks.
Also before you reapply the new crypto map to the interface enter these commands:
clear crypto isakmp sa
clear crypto ipsec sa
clear crypto isakmp sa
clear crypto ipsec sa
ASKER
but that still will kill the vpn tunnel. that is precisely what I have been doing
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
periferral did not add anything that was not already suggested, nor was his/her comment related in any way to the original question.
lrmoore, your answers were accurate but unclear. You suggested https and multi-line but didnt suggest how. I don't see how my answer does not relate to the question.
Anyway, I will leave it to sasecool to decide on points. I will respect his decision.
Anyway, I will leave it to sasecool to decide on points. I will respect his decision.
pix(config)#no crypto map CRYMAP interface outside
Add new crypto map entries:
access-list outside_cryptomap_40 permit ip 192.168.123.0 255.255.255.0 192.168.22.0 255.255.255.0
crypto map CRYMAP 40 ipsec-isakmp
crypto map CRYMAP 40 match address outside_cryptomap_40
crypto map CRYMAP 40 set peer A.B.C.D
crypto map CRYMAP 40 set transform-set ESP-3DES-SHA
Re-apply the map:
crypto map CRYMAP interface outside