sean-keys
asked on
Connect Cisco 1760 to multiple sites VIA IPSEC
Hi I have three sites A and B which are connected via an IPSec VPN. What I want to do is connect site A to site C too. I tried creating another transform but it doesn't seem that I can apply more than one transform to the external interface. Can I set multiple peers and ACLs in one map? How else can I do this?
crypto map aesmap 10 ipsec-isakmp
set peer site-B-ip-address
set security-association lifetime seconds 86400
set transform-set aesset
set pfs group5
match address 103
interface BVI1
ip address xxxxxx
ip nat outside
ip virtual-reassembly
crypto map aesmap
!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Let us know how far you get (but offcourse you will ;).
ASKER
I think I have everything correct, but I cant seem to ping from Site A to C or C to A. I'm using the ping command from workstations behind the routers as I know if you ping from with in the router it wont generate traffic that matches the transform ACL.
Did I miss something simple, or am I fully retarded?
Did I miss something simple, or am I fully retarded?
Site A
Building configuration...
Current configuration : 3060 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TXCONLAB-RTR0
!
boot-start-marker
boot-end-marker
!
enable secret
enable password
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
regexp optimize
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.15.1 10.10.15.50
!
ip dhcp pool vlan50
network 10.10.15.0 255.255.255.0
bootfile OS79XX.TXT
default-router 10.10.15.1
dns-server 8.8.8.8
domain-name
option 150 ip 10.10.15.10
!
ip dhcp pool exclude-address
!
!
no ip domain lookup
ip domain name
vpdn enable
!
!
!
!
!
username root privilege 15 password 7
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key sharedKey address Site B
crypto isakmp key sharedKey address Site C
crypto isakmp keepalive 1024
!
!
crypto ipsec transform-set aesset esp-3des esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer Site B
set security-association lifetime seconds 86400
set transform-set aesset
set pfs group5
match address 103
crypto map aesmap 20 ipsec-isakmp
set peer Site C
set security-association lifetime seconds 86400
set transform-set aesset
set pfs group5
match address 104
!
bridge irb
!
!
interface ATM0/0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
bridge-group 1
pvc 0/35
encapsulation aal5snap
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.20
!
interface FastEthernet0/0.50
encapsulation dot1Q 50 native
ip address 10.10.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.150
encapsulation dot1Q 150
ip address 172.16.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
interface BVI1
ip address public IP
ip nat outside
ip virtual-reassembly
crypto map aesmap
!
ip default-gateway public IP
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 public IP
!
no ip http server
no ip http secure-server
ip nat inside source list acl_nat interface BVI1 overload
!
ip access-list extended acl_nat
permit ip 172.16.15.0 0.0.0.255 any
deny ip 10.10.15.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip 10.10.15.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 10.10.15.0 0.0.0.255 any
!
access-list 103 permit ip 10.10.15.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 permit ip 10.10.15.0 0.0.0.255 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
password 7
!
end
Site C
Building configuration...
Current configuration : 2497 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TXCON02-rtr0
!
boot-start-marker
boot-end-marker
!
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
regexp optimize
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.50
!
ip dhcp pool vlan50
network 10.10.10.0 255.255.255.0
bootfile OS79XX.TXT
default-router 10.10.10.1
dns-server 8.8.8.8
domain-name router.domain.com
option 150 ip 10.10.10.10
!
!
no ip domain lookup
ip domain name router.domain.com
vpdn enable
!
!
!
!
!
username root privilege 15 password 7
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key sharedKey address SiteA
crypto isakmp keepalive 1024
!
!
crypto ipsec transform-set aesset esp-3des esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer Site A
set security-association lifetime seconds 86400
set transform-set aesset
set pfs group5
match address 103
!
bridge irb
!
!
interface Ethernet0/0
ip address public IP
ip nat outside
ip virtual-reassembly
full-duplex
crypto map aesmap
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.20
!
interface FastEthernet0/0.50
encapsulation dot1Q 50 native
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.150
encapsulation dot1Q 150
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
shutdown
!
interface BVI1
ip address dhcp
ip virtual-reassembly
shutdown
!
ip default-gateway public IP
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 public IP
!
no ip http server
no ip http secure-server
ip nat inside source list acl_nat interface Ethernet0/0 overload
!
ip access-list extended acl_nat
permit ip 172.16.10.0 0.0.0.255 any
deny ip 10.10.10.0 0.0.0.255 10.10.15.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
!
access-list 103 permit ip 10.10.10.0 0.0.0.255 10.10.15.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line aux 0
line vty 0 4
password 7
!
end
It looks like you're missing the second half of your crypto map. The first part with entry point 10 should be the one that goes to Site B. So you need to verify that your "set peer" is indeed to Site B. You then need a crypto map for site C.
crypto map aesmap 20 ipsec-isakmp
set peer Site C
set security-association lifetime seconds 86400
set transform-set aesset
set pfs group 5
match address 104
ASKER
thx guys, not sure why it took so long to start working...
ASKER