VPN - At a loss

Leth · Oct 5, 2005

Hello,

I have an existing static pix to pix vpn between the UK and France and
need now to add a dynamic vpn between the UK and Spain. The static vpn
works great but I cannot get a dynamic vpn up and running. The problem
I've got is that Spains ISP router is the dhcp server for the pix, so
Spain's pix has not got a public ip address. I've included the configs
(the important bits anyway) for somebody to cast their beady eye over.
Any help would be greatly appreciated.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
UK PIX:

PIX Version 6.3(3)

access-list NO-NAT permit ip 10.1.1.0 255.255.255.0 10.1.3.0
255.255.255.0
access-list NO-NAT permit ip 10.1.1.0 255.255.255.0 10.1.4.0
255.255.255.0
access-list SPAIN permit ip 10.1.1.0 255.255.255.0 10.1.4.0
255.255.255.0
access-list FRANCE permit ip 10.1.1.0 255.255.255.0 10.1.3.0
255.255.255.0

ip address outside xx.xx.xx.xx xx.xx.xx.xx
ip address inside 10.1.1.16 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 UK_ISP_ROUTER 1

floodguard enable

sysopt connection permit-ipsec
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto dynamic-map mydyn 20 set transform-set aptset
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address FRANCE
crypto map aptmap 10 set peer 84.96.22.140
crypto map aptmap 10 set transform-set aptset
crypto map aptmap 20 ipsec-isakmp dynamic mydyn
crypto map aptmap interface outside

isakmp enable outside
isakmp key ******** address xx.xx.xx.xx netmask 255.255.255.255
no-xauth
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
SPAIN PIX:

PIX Version 6.3(3)

access-list UK permit ip 10.1.4.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list NO-NAT permit ip 10.1.4.0 255.255.255.0 10.1.1.0
255.255.255.0

ip address outside dhcp <--------------------- this picks up an ip
address from the ISP router's dhcp (100.1.4.6-100.1.4.10). The ISP
router's inside address is 100.1.4.1
ip address inside 10.1.4.10 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 SPAIN_ISP_ROUTER 1

floodguard enable

sysopt connection permit-ipsec
crypto ipsec transform-set aptset esp-3des esp-md5-hmac
crypto map aptmap 10 ipsec-isakmp
crypto map aptmap 10 match address UK
crypto map aptmap 10 set peer UK_PIX
crypto map aptmap 10 set transform-set aptset
crypto map aptmap interface outside

isakmp enable outside
isakmp key ******** address UK_PIX netmask xx.xx.xx.xx no-xauth
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Crossfire2 · Oct 5, 2005

Have you had a look at the Cisco documentation for your scenario?

http://www.cisco.com/en/US/customer...s_configuration_example09186a0080094680.shtml

Leth · Oct 5, 2005

I cannot login to the pages you supplied.

I've used this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_configuration_examples_list.html

Been over many examples and configs and still the UK/Spain VPN just won't work.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

VPN - At a loss

Leth

IS-IT--Management

Crossfire2

Technical User

Leth

IS-IT--Management

Similar threads

Part and Inventory Search

Sponsor