Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help with vpn setup to 2 different peers Plz

Status
Not open for further replies.
NiclasEliassen

NiclasEliassen

Technical User
Joined
Dec 19, 2004
Messages
4
Location
SE
Hi folks

Im new to cisco so i need some help with a vpn setup.

I have a cisco 1712 router with vpn support. This will act as the concentrator.
I need to make 2 site to site tunnels to 2 different peers.

Int lan 172.16.100.0/24
Cisco 1712 ------- (Peer1) Cisco router int lan 192.168.50.0
| 255.255.255.224
| 192.168.5.0/24
|
--------- (Peer2) Fortigate FW int lan
172.100.100.0/24

I have managed to get both tunnels to work but not at the same time its like they are choosing the wrong crypto settings when i have both configured at the same time.

To peer 1 I have to use Des sha1 dhgroup1
To peer 2 I have to use 3Des sha1 dhgroup2
Also different challange phrases the different peers.

I only have one interface from the cisco 1712 router connected to the internet so both tunnels need to be applied to that interface.

Would really appritciate all the help i can get .... im kind of stuck right now :)

Here is the config i tried to use.

Building configuration...

Current configuration : 10384 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RR01
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret 5 $1$sL.M$WefQqINSrHy.mzw7HzUbB1
enable password xxxxxx
!
username root privilege 15 password 0 bronet01
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
!
ip name-server xxx.xxx.xxx.xxx
ip cef
ip inspect name IP-INSPECT-RULE cuseeme
ip inspect name IP-INSPECT-RULE ftp
ip inspect name IP-INSPECT-RULE h323
ip inspect name IP-INSPECT-RULE netshow
ip inspect name IP-INSPECT-RULE rcmd
ip inspect name IP-INSPECT-RULE realaudio
ip inspect name IP-INSPECT-RULE rtsp
ip inspect name IP-INSPECT-RULE smtp
ip inspect name IP-INSPECT-RULE sqlnet
ip inspect name IP-INSPECT-RULE streamworks
ip inspect name IP-INSPECT-RULE tftp
ip inspect name IP-INSPECT-RULE tcp
ip inspect name IP-INSPECT-RULE udp
ip inspect name IP-INSPECT-RULE vdolive
ip inspect name IP-INSPECT-RULE icmp
ip ids po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
lifetime 1800
!
crypto isakmp policy 2
authentication pre-share
lifetime 28000
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp key test1 address (IP PEER 1)
crypto isakmp key test2 address (IP PEER 2)
!
!
crypto ipsec transform-set PEER1-set esp-des esp-sha-hmac
crypto ipsec transform-set PEER2-set esp-3des esp-sha-hmac
!
!
crypto map vpnpeers-map 1 ipsec-isakmp
set peer (IP PEER 1)
set security-association lifetime seconds 1800
set transform-set PEER1-set
set pfs group1
match address 102
crypto map vpnpeers-map 2 ipsec-isakmp
set peer (IP PEER 2)
set security-association lifetime seconds 1800
set transform-set PEER2-set
set pfs group2
match address 103
!
!
interface BRI0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0
description $FW_OUTSIDE$$ETH-WAN$Connected to Internet
ip address (Public ip cisco1712) 255.255.255.240
ip access-group 101 in
ip inspect IP-INSPECT-RULE out
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed auto
half-duplex
no cdp enable
crypto map vpnpeers-map
!
interface FastEthernet1
switchport access vlan 100
no ip address
no cdp enable
!
interface FastEthernet2
switchport access vlan 100
no ip address
no cdp enable
!
interface FastEthernet3
switchport access vlan 100
no ip address
no cdp enable
!
interface FastEthernet4
switchport access vlan 100
no ip address
no cdp enable
!
interface Vlan100
description $FW_INSIDE$Connected to Internal (FaEth1-4)
ip address 172.16.100.253 255.255.255.0
ip access-group 105 in
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
!
interface Vlan1
no ip address
!
ip default-gateway xxx.xxx.xxx.xxx
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
ip route 172.16.1.0 255.255.255.0 172.16.100.254
ip route 172.16.2.0 255.255.255.0 172.16.100.254
ip route 172.16.5.0 255.255.255.0 172.16.100.254
ip route 172.16.6.0 255.255.255.0 172.16.100.254
ip route 172.16.8.0 255.255.255.0 172.16.100.254
ip route 172.16.16.0 255.255.255.0 172.16.100.254
ip route 172.16.32.0 255.255.255.0 172.16.100.254
ip route 172.100.100.0 255.255.255.0 FastEthernet0
ip route 192.168.5.0 255.255.255.0 FastEthernet0
ip route 192.168.50.0 255.255.255.224 FastEthernet0
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
!
!
!
access-list 101 permit udp host xxx.xxx.xxx.xxx eq domain host (IP Cisco1712)
access-list 101 permit ahp host (IP PEER 1) host (IP Cisco1712)
access-list 101 permit esp host (IP PEER 1) host (IP Cisco1712)
access-list 101 permit udp host (IP PEER 1) host (IP Cisco1712) eq isakmp
access-list 101 permit udp host (IP PEER 1) host (IP Cisco1712) eq non500-isakmp
access-list 101 permit ahp host (IP PEER 2) host (IP Cisco1712)
access-list 101 permit esp host (IP PEER 2) host (IP Cisco1712)
access-list 101 permit udp host (IP PEER 2) host (IP Cisco1712) eq isakmp
access-list 101 permit udp host (IP PEER 2) host (IP Cisco1712) eq non500-isakmp
access-list 101 permit ip 192.168.50.0 0.0.0.31 172.16.100.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.31 172.16.16.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.31 172.16.8.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.31 172.16.6.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.31 172.16.5.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.31 172.16.2.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.31 172.16.1.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.31 172.16.16.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.31 172.16.6.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.31 172.16.5.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 permit ip 172.100.100.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 permit ip 172.100.100.0 0.0.0.31 172.16.16.0 0.0.0.255
access-list 101 permit ip 172.100.100.0 0.0.0.255 172.16.8.0 0.0.0.255
access-list 101 permit ip 172.100.100.0 0.0.0.31 172.16.6.0 0.0.0.255
access-list 101 permit ip 172.100.100.0 0.0.0.31 172.16.5.0 0.0.0.255
access-list 101 permit ip 172.100.100.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 permit ip 172.100.100.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 permit icmp any host 193.15.205.122 echo-reply
access-list 101 permit icmp any host 193.15.205.122 time-exceeded
access-list 101 permit icmp any host 193.15.205.122 unreachable
access-list 101 permit tcp host xxx.xxx.xxx.xxx host (IP Cisco1712) eq telnet
access-list 101 permit tcp host xxx.xxx.xxx.xxx host (IP Cisco1712) eq 22
access-list 101 deny tcp any host (IP Cisco1712) eq telnet
access-list 101 deny tcp any host (IP Cisco1712) eq 22
access-list 101 deny tcp any host (IP Cisco1712) eq www
access-list 101 deny tcp any host (IP Cisco1712) eq 443
access-list 101 deny tcp any host (IP Cisco1712) eq cmd
access-list 101 deny udp any host (IP Cisco1712) eq snmp
access-list 101 deny ip any any
access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.50.0 0.0.0.31
access-list 102 permit ip 172.16.16.0 0.0.0.255 192.168.50.0 0.0.0.31
access-list 102 permit ip 172.16.8.0 0.0.0.255 192.168.50.0 0.0.0.31
access-list 102 permit ip 172.16.6.0 0.0.0.255 192.168.50.0 0.0.0.31
access-list 102 permit ip 172.16.5.0 0.0.0.255 192.168.50.0 0.0.0.31
access-list 102 permit ip 172.16.2.0 0.0.0.255 192.168.50.0 0.0.0.31
access-list 102 permit ip 172.16.1.0 0.0.0.255 192.168.50.0 0.0.0.31
access-list 102 permit ip 172.16.100.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 172.16.16.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 172.16.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 172.16.6.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 172.16.5.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 172.16.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit ip 172.16.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 102 permit icmp any any
access-list 103 permit ip 172.16.100.0 0.0.0.255 172.100.100.0 0.0.0.255
access-list 103 permit ip 172.16.16.0 0.0.0.255 172.100.100.0 0.0.0.255
access-list 103 permit ip 172.16.8.0 0.0.0.255 172.100.100.0 0.0.0.255
access-list 103 permit ip 172.16.6.0 0.0.0.255 172.100.100.0 0.0.0.255
access-list 103 permit ip 172.16.5.0 0.0.0.255 172.100.100.0 0.0.0.255
access-list 103 permit ip 172.16.2.0 0.0.0.255 172.100.100.0 0.0.0.255
access-list 103 permit ip 172.16.1.0 0.0.0.255 172.100.100.0 0.0.0.255
access-list 103 permit icmp any any
access-list 104 permit ip host xxx.xxx.xxx.xxx any
access-list 104 permit ip host xxx.xxx.xxx.xxx any
access-list 104 permit ip 172.16.2.0 0.0.0.255 any
access-list 104 permit ip 172.16.8.0 0.0.0.255 any
access-list 104 permit ip 172.16.5.0 0.0.0.255 any
access-list 104 permit ip 172.16.6.0 0.0.0.255 any
access-list 105 permit tcp 172.16.2.0 0.0.0.255 host 172.16.100.253 eq telnet
access-list 105 permit tcp 172.16.2.0 0.0.0.255 host 172.16.100.253 eq 22
access-list 105 permit tcp 172.16.2.0 0.0.0.255 host 172.16.100.253 eq www
access-list 105 permit tcp 172.16.2.0 0.0.0.255 host 172.16.100.253 eq 443
access-list 105 permit tcp 172.16.2.0 0.0.0.255 host 172.16.100.253 eq cmd
access-list 105 permit tcp 172.16.8.0 0.0.0.255 host 172.16.100.253 eq telnet
access-list 105 permit tcp 172.16.8.0 0.0.0.255 host 172.16.100.253 eq 22
access-list 105 permit tcp 172.16.8.0 0.0.0.255 host 172.16.100.253 eq www
access-list 105 permit tcp 172.16.8.0 0.0.0.255 host 172.16.100.253 eq 443
access-list 105 permit tcp 172.16.8.0 0.0.0.255 host 172.16.100.253 eq cmd
access-list 105 permit tcp 172.16.5.0 0.0.0.255 host 172.16.100.253 eq telnet
access-list 105 permit tcp 172.16.5.0 0.0.0.255 host 172.16.100.253 eq 22
access-list 105 permit tcp 172.16.5.0 0.0.0.255 host 172.16.100.253 eq www
access-list 105 permit tcp 172.16.5.0 0.0.0.255 host 172.16.100.253 eq 443
access-list 105 permit tcp 172.16.5.0 0.0.0.255 host 172.16.100.253 eq cmd
access-list 105 permit tcp 172.16.6.0 0.0.0.255 host 172.16.100.253 eq telnet
access-list 105 permit tcp 172.16.6.0 0.0.0.255 host 172.16.100.253 eq www
access-list 105 permit tcp 172.16.6.0 0.0.0.255 host 172.16.100.253 eq 443
access-list 105 permit tcp 172.16.6.0 0.0.0.255 host 172.16.100.253 eq cmd
access-list 105 deny tcp any host 172.16.100.253 eq telnet
access-list 105 deny tcp any host 172.16.100.253 eq 22
access-list 105 deny tcp any host 172.16.100.253 eq www
access-list 105 deny tcp any host 172.16.100.253 eq 443
access-list 105 deny tcp any host 172.16.100.253 eq cmd
access-list 105 deny udp any host 172.16.100.253 eq snmp
access-list 105 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 104 in
exec-timeout 30 0
password xxxxxxx
login
transport input telnet ssh
transport output telnet ssh
!
end

Regards
Niclas Eliassen
niclas.eliassen@home.se

 
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
552
CPM86
CPM86
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
396
badwolf1686
B
Jared R
  • Locked
  • Question Question
Cisco UC320W Paging Help
Replies
0
Views
696
Jared R
Jared R
Luzbel
  • Locked
  • Question Question
Connecting HVAC controller to network
Replies
0
Views
569
Luzbel
Luzbel
WinstonCH
  • Locked
  • Helpful tip Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
890
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top