- Posts: 34
- Thank you received: 0
Pix 515e site 2 site VPN
- psiclonius
- Topic Author
- Offline
- Junior Member
-
Less
More
17 years 10 months ago #19115
by psiclonius
Pix 515e site 2 site VPN was created by psiclonius
Hi,
First off this is my first Site 2 site I have setup from start to finish. I want to setup tunnel with a client to access there mainframe. My inside addresses allowed thur will be 192.168.16.8/29, and access 2 IP on the clients side. In PDM I created 2 object groups called Baptistinside (192.168.16.8/29) and Baptist outside (mainframe and intranet side). We agreed on the follow policy:
IKE
3DES
Pre-shared keys
SHA/HMAC-128
DH-Group Group2
Lifetime 86400
IPSec
ESP/SHA/HMAC-128
3DES
lifetime 28800
I had a IKE policy the met the requirement. I created a new transform set in PDM called baptist (command preview)
'crypto ipsec transform-set Baptist esp-3des esp-sha-hmac'
Then I created a IPSec rule (in PDM) using the object groups I created.
access-list nonat line 12 permit ip object-group Baptistinside object-group Baptist_outside
nat (inside) 0 access-list nonat
access-list outside_cryptomap_22 remark Rule to access Batist Health System Imageing 10.x.x.x and mainframe 10.x.x.x
access-list outside_cryptomap_22 permit ip object-group Baptistinside object-group Baptist_outside
crypto map P2PVPNS 22 set peer 70.x.x.x
crypto map P2PVPNS 22 match address outside_cryptomap_22
crypto map P2PVPNS 22 set transform-set Baptist
crypto map P2PVPNS 22 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map P2PVPNS interface outside
but it returns this:
[OK] access-list nonat line 12 permit ip object-group Baptistinside object-group Baptist_outside
[OK] nat (inside) 0 access-list nonat
[OK] access-list outside_cryptomap_22 remark Rule to access Batist Health System Imageing 10.x.x.x and mainframe 10.x.x.x
[OK] access-list outside_cryptomap_22 permit ip object-group Baptistinside object-group Baptist_outside
[ERR]crypto map P2PVPNS 22 set peer 70.x.x.x
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map P2PVPNS 22 match address outside_cryptomap_22
[OK] crypto map P2PVPNS 22 set transform-set Baptist
[OK] crypto map P2PVPNS 22 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map P2PVPNS interface outside
Not sure what I'm doing wrong?
First off this is my first Site 2 site I have setup from start to finish. I want to setup tunnel with a client to access there mainframe. My inside addresses allowed thur will be 192.168.16.8/29, and access 2 IP on the clients side. In PDM I created 2 object groups called Baptistinside (192.168.16.8/29) and Baptist outside (mainframe and intranet side). We agreed on the follow policy:
IKE
3DES
Pre-shared keys
SHA/HMAC-128
DH-Group Group2
Lifetime 86400
IPSec
ESP/SHA/HMAC-128
3DES
lifetime 28800
I had a IKE policy the met the requirement. I created a new transform set in PDM called baptist (command preview)
'crypto ipsec transform-set Baptist esp-3des esp-sha-hmac'
Then I created a IPSec rule (in PDM) using the object groups I created.
access-list nonat line 12 permit ip object-group Baptistinside object-group Baptist_outside
nat (inside) 0 access-list nonat
access-list outside_cryptomap_22 remark Rule to access Batist Health System Imageing 10.x.x.x and mainframe 10.x.x.x
access-list outside_cryptomap_22 permit ip object-group Baptistinside object-group Baptist_outside
crypto map P2PVPNS 22 set peer 70.x.x.x
crypto map P2PVPNS 22 match address outside_cryptomap_22
crypto map P2PVPNS 22 set transform-set Baptist
crypto map P2PVPNS 22 set security-association lifetime seconds 28800 kilobytes 4608000
crypto map P2PVPNS interface outside
but it returns this:
[OK] access-list nonat line 12 permit ip object-group Baptistinside object-group Baptist_outside
[OK] nat (inside) 0 access-list nonat
[OK] access-list outside_cryptomap_22 remark Rule to access Batist Health System Imageing 10.x.x.x and mainframe 10.x.x.x
[OK] access-list outside_cryptomap_22 permit ip object-group Baptistinside object-group Baptist_outside
[ERR]crypto map P2PVPNS 22 set peer 70.x.x.x
WARNING: This crypto map is incomplete.
To remedy the situation add a peer and a valid access-list to this crypto map.
[OK] crypto map P2PVPNS 22 match address outside_cryptomap_22
[OK] crypto map P2PVPNS 22 set transform-set Baptist
[OK] crypto map P2PVPNS 22 set security-association lifetime seconds 28800 kilobytes 4608000
[OK] crypto map P2PVPNS interface outside
Not sure what I'm doing wrong?
Time to create page: 0.109 seconds