DUAL SITE TO SITE VPN PIX

[julianmd]

Hi,

I am going nuts with this, if anybody has been there..... this is a cry for help ;-).

This is my situation.

LAN1 - 2 ISP's, 2 PIX's
LAN2 - 1 ISP, 1 PIX

I have a vpn tunnel from PIX1-LAN1 going to PIX1-LAN2. Now I'm trying to create a secondary vpn tunnel from PIX2-LAN1 going to PIX1-LAN2.

The Phase 1 completes, but the IPSec tunnel doesn't connect. I've opened a TAC case with CISCO, and I'm still waiting for their solution.

Basically, they said the PIX1-LAN2 has two crypto map entries going to the same destination (LAN1's internal subnet)

Any suggestion would be highly appreciated!

Julian Dragut

 

[NetworkGhost]

Show us a config. I bet we can fix it faster than Cisco.

 

[julianmd]

Relevant config:


access-list ymx1acl permit ip 192.168.1.0/24 192.168.0.0/24
access-list ymx2acl permit ip 192.168.1.0/24 192.168.0.0/24

crypto map outside 20ipsec-isakmp
crypto map outside 20match address ymx1acl
crypto map outside 20set peer X.X.X.X
crypto map outside 20 set transform-set strongdes

crypto map outside 30 ipsec-isakmp
crypto map outside 30 match address ymx2acl
crypto map outside 30 set peer Y.Y.Y.Y
crypto map outside 30 set transform-set strongdes

This PIX should create 2 VPN's to the LAN1 (ymx1acl ymx2acl), but it creates only one.

I kind of fixed the problem by adding the second pier to the crypto map 20 as in:

crypto map outside 20ipsec-isakmp
crypto map outside 20match address ymx1acl
crypto map outside 20set peer X.X.X.X Y.Y.Y.Y
crypto map outside 20 set transform-set strongdes

Any ideas?

 

[NetworkGhost]

So the internal networks are the same range?

192.168.0.0


Thats definitly a problem. If thats the case the only real options are to subnet that on the acl to maybe only establishing a tunnel for a range of address 1 - 63 for one tunnel and 64 - 127 on another. The option is change the subnet at one of the sites, or put a router in front of the traffic and behind the pix and NAT it.

 

[julianmd]

Take a look at this:

Cisco's VPN engineer's respons:

Thanks you for all your concern and providing all the info in this regard.

Please see that I was not feeling well, so couldn't get back to you soon. My apologies for any production impact caused.

What we need to do in this scenario is to do a static nat from the inside network behind PIX 506 to a private IP range without requiring any set of public Ip range and thus

the interesting traffic from PIX 501 will be 192.168.1.0 towards translated private ip range

and

the interesting traffic from PIX 506 will be from translated private ip range to 192.168.1.0 network

And this should make the set up running. Please bear with me for today if possible and I will get back to you tomorrow at the begining of my shift and will configure the same for you.

 

[julianmd]

No the internal IP's are not the same.

RemoteSite's IP address is 192.168.1.0

HQSite = 192.168.0.0
PIX1 - ISP1
PIX2 - ISP2

PIX1 + PIX2 protect the same LAN (192.168.0.0), that's why RemoteSitePIX has two maps with the same proxy source, but using two diferent peer addresses

Hope this helps!

 

[NetworkGhost]

Thats the problem though. The ymx1acl and ymx2acl you are using to define what traffic is interesting to the pix. If you are using the same lan 192.168.0.0 then there will be problems because the traffic will only work to one pix. My suggestion and I know it could be a pain is to reegineer one of those subnets to be 192.168.2.0 rather than trying to nat. The nat solution is a short fix. The problem is further down the road with new implementations you may have to keep making small fixes that can become a pain in the rear. If you change it now, you wont have to worry about ip problems later. The upside is if you have a small amount of clients the changes goes easy. Ive done this before. The downside is if you have a large amount of servers, then it sucks.