Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Site-Site and VPN Client 3.x tunnels working concurrently

Status
Not open for further replies.
marhoul

marhoul

IS-IT--Management
Jun 10, 2002
28
0
0
AU
I am having trouble setting up a site-site vpn whilst also keeping my vpn client 3.x working.

I am working with SITE1 until I get the site-site config entered without it killing my ability to connect to it with a VPN Client 3.x. Once it is up I will enter the config into SITE2, as SSH and VPN are my only methods of access to this remote device. If I kill VPN and something happens to the SSH then I will be hamstrung.

I am using Image 6.2(2) and PDM 2.1(1)

So my config is as follows:

name x.x.x.x site1
name x.x.x.x site2
name x.x.x.x site1_int_net
name x.x.x.x site2_int_net

access-list from-outside permit ip host site2 any
access-group from-outside in interface outside

access-list 101 permit ip site1_int_net 255.255.255.0 site2_int_net 255.255.255.0

nat (inside) 0 access-list 101

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10 set transform-set ESP-3DES-SHA
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map transam 1 ipsec-isakmp
crypto map transam 1 match address 101
crypto map transam 1 set peer site2
crypto map transam 1 set transform-set ESP-3DES-SHA
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address site2 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup x address-pool vpnclientpool
vpngroup x wins-server x.x.x.x
vpngroup x default-domain x.x.x
vpngroup x split-tunnel nonat
vpngroup x idle-time 1800
vpngroup x password ********


Any help would be greatly appreciated.

Cheers,

Mark
 
Sort by date Sort by votes
I have got the config in and the vpn client 3.x still working. It looks like the site tunnel is up but I cannot ping the other network.

My current SA's look like this:
===============================

interface: outside
Crypto map tag: newmap, local addr. pix02

local ident (addr/mask/prot/port): (int_net/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer: pix01
PERMIT, flags={origin_is_acl,}
#pkts encaps: 341, #pkts encrypt: 341, #pkts digest 341
#pkts decaps: 317, #pkts decrypt: 317, #pkts verify 317
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: pix02, remote crypto endpt.: pix01
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 903a6f3d

inbound esp sas:
spi: 0x28f845e5(687359461)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607905/23119)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:


inbound pcp sas:


outbound esp sas:
spi: 0x903a6f3d(2419748669)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: newmap
sa timing: remaining key lifetime (k/sec): (4607866/23119)
IV size: 8 bytes
replay detection support: Y


outbound ah sas:


outbound pcp sas:

Current config on Site 1 PIX (506E, 6.2(2)):
===========================================

access-list 100 permit ip int_net 255.255.255.0 192.168.0.0 255.255.0.0
access-list 100 permit ip int_net 255.255.255.0 10.3.21.0 255.255.255.0
access-list 110 permit ip int_net 255.255.255.0 192.168.0.0 255.255.0.0
nat (inside) 0 access-list 100
sysopt connection permit-ipsec
no sysopt route dnat

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 110
crypto map newmap 10 set peer pix01
crypto map newmap 10 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
isakmp enable outside
isakmp key ******** address pix01 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup x address-pool vpnclient
vpngroup x wins-server 10.3.20.10
vpngroup x default-domain x
vpngroup x idle-time 1800
vpngroup x password ********
 
Upvote 0 Downvote
Marhoun, have you actually got split-tunnel working with those commands? If so we need to talk, you may be a big help to me. Thanks,
Jcanuk
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
146
intel233
intel233
gkreg
  • Locked
  • Question
asa 5500-x url filtering
Replies
0
Views
88
gkreg
gkreg
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
70
gkittelson
gkittelson
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
169
Shmid
Shmid

Part and Inventory Search

Sponsor

Back
Top