I recently added site to site configuration to a Pix 505E that was already working for vpn clients. After adding site to site VPN the clients can no longer connect. Debugs on the PIX shows errors about the clients IP address not being valid.
I was sure I was careful to only add new lines of configuration without changing/removing what was already there.
Could someone more knowledgeable about VPNs take a look at the following config and see what I'm missing?
sysopt connection permit-ipsec
crypto ipsec transform-set bbatrans esp-3des esp-sha-hmac
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map bba-dymap 10 set transform-set bbatrans
crypto dynamic-map cisco 1 set transform-set strong
crypto map bba_crypto 10 ipsec-isakmp dynamic bba-dymap
crypto map bba_crypto client authentication RADIUS
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosnwl
crypto map tosonicwall 20 set peer x.x.173.58
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address x.x.173.58 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup bba address-pool VPN
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup bba address-pool VPN
vpngroup bba dns-server 192.168.1.5
vpngroup bba wins-server 192.168.1.5
vpngroup bba default-domain bba.local
vpngroup bba split-tunnel noNAT
vpngroup bba idle-time 1800
vpngroup bba password ********
Many thanks for taking the time to help me out!
-Chris
I was sure I was careful to only add new lines of configuration without changing/removing what was already there.
Could someone more knowledgeable about VPNs take a look at the following config and see what I'm missing?
sysopt connection permit-ipsec
crypto ipsec transform-set bbatrans esp-3des esp-sha-hmac
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map bba-dymap 10 set transform-set bbatrans
crypto dynamic-map cisco 1 set transform-set strong
crypto map bba_crypto 10 ipsec-isakmp dynamic bba-dymap
crypto map bba_crypto client authentication RADIUS
crypto map dyn-map 10 ipsec-isakmp dynamic cisco
crypto map tosonicwall 20 ipsec-isakmp
crypto map tosonicwall 20 match address pixtosnwl
crypto map tosonicwall 20 set peer x.x.173.58
crypto map tosonicwall 20 set transform-set ESP-3DES-SHA
crypto map tosonicwall interface outside
isakmp enable outside
isakmp key ******** address x.x.173.58 netmask 255.255.255.255
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup bba address-pool VPN
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 28800
vpngroup bba address-pool VPN
vpngroup bba dns-server 192.168.1.5
vpngroup bba wins-server 192.168.1.5
vpngroup bba default-domain bba.local
vpngroup bba split-tunnel noNAT
vpngroup bba idle-time 1800
vpngroup bba password ********
Many thanks for taking the time to help me out!
-Chris