Re: Cisco 2801

TECH-JEFF · ‎01-04-2018

Hi, there is an existing Cisco 2801 tunneled (Site-to-Site VPN) to one of the main office with a Cisco ASA. Can the 2801 router have 2 or a separate tunnel(S2S) to a different site?

I'm basically trying to copy the commands from the Cisco 2801 router and saw this set of existing commands where the main and branch office is currently working/operational:

!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <branchoffice> address 66.xxx.xxx.xxx --> WAN IP of main branch
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TEST ah-md5-hmac esp-des
crypto ipsec transform-set VPN ah-md5-hmac esp-3des
crypto ipsec transform-set VPN2 esp-3des esp-md5-hmac
!

Do I simply just copy these set of commands? or do I need to create a crypto key just for this new tunnel?

Thanks

Jeff

Jefferson Co

Karsten Iwen · ‎01-04-2018

Yes, you can configure multiple VPN-connections and use them at the same time.

If both VPN-peers are using the same crypto-parameters you just have to:

configure another PSK
configure another crypto ACL for the second VPN-traffic
configure a second sequence in the same crypto map that is already used (you only can have one crypto map on your interface)

Julio E. Moisa · ‎01-04-2018

Hi Jefferson,

As Karsten mentioned, yes it can, it can be done using crypto maps. Just verify if the IOS has no limitations.

It can be verified using this tool, I recommend select platform:

http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Joseph W. Doherty · ‎01-05-2018

BTW, in addition to what the other posters have noted, if the other VPN tunnels you desire are to other Cisco routers, you might be able to use VTI tunnels. Their configs don't require crypto maps and ACLs.

TECH-JEFF · ‎01-05-2018

thanks for all inputs, last question is if I create a new crypto isakmp policy, do I set this up as

crypto isakmp policy 2? since the existing(working) is set to "1"?

Thanks

Jeff

Jefferson Co

Joseph W. Doherty · ‎01-05-2018

You could, or leave a "gap" in numbering. If I remember correctly, peers will use the first policy they find that they have in common.

TECH-JEFF · ‎01-09-2018

I was able to link the FG and this 2801 router, my next issue is why there aren't any traffic running. Is there a way to check if acl is blocking or not set on this router?

On the Fortigate, I already created a policy for both incoming and outgoing.

Thanks

Jeff

Jefferson Co

Joseph W. Doherty · ‎01-10-2018

What I normally do is 1st insure each tunnel end-point can ping the other end-point outside the tunnel.

2nd I start to enable various crypto debug commands to see if there's any "action" for the tunnel.

Richard Burts · ‎01-11-2018

If logging is enabled on your 2801 (and I would suggest that for this issue you might want to set the severity level to debug) then you might look at the logs and see if that identifies any issue. The suggestion from Joseph about running crypto debugs is good and I would suggest using some show crypto commands to see if the ISAKMP negotiation was successful and whether any IPsec SA was negotiated.

We know very little about how the 2801 is configure. If the original poster would post the config (at least all parts related to interfaces, to NAT, and with crypto) we might get more insight into the issue.

HTH

Rick

HTH

Rick