Solved

Can multiple vpn connections on a cisco pix have individual pre-shared keys?

Posted on 2009-05-11
2
315 Views
Last Modified: 2012-08-13
I have a cisco pix 506 at our corp office and a pix 501e at one of our remote sites. Is the pre-shared key for the vpn connections defined system-wide or can you use a different key for each site? I can't get the vpn up at the new location. I configured a different site only a few months ago and did not run into these problems. Here is the pertinent part of the config for both routers. Any help would be greatly appreciated.

Corp Pix:
pdm location 192.168.16.0 255.255.255.0 outside (remote subnet)

crypto map to_remotes 90 ipsec-isakmp
crypto map to_remotes 90 match address remotesite
crypto map to_remotes 90 set peer xxx.xxx.xxx.xxx (xxx=remote ip)
crypto map to_remotes 90 set transform-set strong
isakmp key ******** address xxx.xxx.xxx.xxx netmask 255.255.255.255

isakmp keepalive 10 5
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400


remote pix:
pdm location 192.168.1.0 255.255.255.0 outside (corp subnet)

crypto map corpsite 90 ipsec-isakmp
crypto map corpsite 90 match address 150
crypto map corpsite 90 set peer xxx.xxx.xxx.xxx (ip of corp pix)
crypto map corpsite 90 set transform-set strong
crypto map corpsite interface outside

isakmp key wathen address xxx.xxx.xxx.xxx netmask 255.255.255.255 (corp pix)
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400

Could the pre-shared key hanging me up? I know the key for these two sites are matching on both ends but I don't think they are the password that was being used for the other locations.
0
Comment
Question by:J C
2 Comments
 
LVL 18

Accepted Solution

by:
Don S. earned 500 total points
ID: 24359292
Each unique match on the Crypto-map access list can (and probably should) have it's own unique pre-shared key.  Check your access lists - "remotesite" in the first one and "150" in the second one.
0
 

Author Comment

by:J C
ID: 24360458
Can someone give me an example config of what is needed to create this tunnel? I have done it before but I must be missing something. The access lists are fine, I did check that. Does it care about the number of characters in the key?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now