01-04-2018 11:37 AM - edited 03-05-2019 09:43 AM
Hi, there is an existing Cisco 2801 tunneled (Site-to-Site VPN) to one of the main office with a Cisco ASA. Can the 2801 router have 2 or a separate tunnel(S2S) to a different site?
I'm basically trying to copy the commands from the Cisco 2801 router and saw this set of existing commands where the main and branch office is currently working/operational:
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <branchoffice> address 66.xxx.xxx.xxx --> WAN IP of main branch
!
!
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set TEST ah-md5-hmac esp-des
crypto ipsec transform-set VPN ah-md5-hmac esp-3des
crypto ipsec transform-set VPN2 esp-3des esp-md5-hmac
!
Do I simply just copy these set of commands? or do I need to create a crypto key just for this new tunnel?
Thanks
Jeff
01-04-2018 02:12 PM
Yes, you can configure multiple VPN-connections and use them at the same time.
If both VPN-peers are using the same crypto-parameters you just have to:
01-04-2018 04:50 PM - edited 01-04-2018 04:52 PM
Hi Jefferson,
As Karsten mentioned, yes it can, it can be done using crypto maps. Just verify if the IOS has no limitations.
It can be verified using this tool, I recommend select platform:
http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/SearchBySoftware.jsp
:-)
01-05-2018 05:12 AM
01-05-2018 10:21 AM
thanks for all inputs, last question is if I create a new crypto isakmp policy, do I set this up as
crypto isakmp policy 2? since the existing(working) is set to "1"?
Thanks
Jeff
01-05-2018 12:26 PM
01-09-2018 10:41 AM
I was able to link the FG and this 2801 router, my next issue is why there aren't any traffic running. Is there a way to check if acl is blocking or not set on this router?
On the Fortigate, I already created a policy for both incoming and outgoing.
Thanks
Jeff
01-10-2018 02:56 AM - edited 01-11-2018 08:07 AM
What I normally do is 1st insure each tunnel end-point can ping the other end-point outside the tunnel.
2nd I start to enable various crypto debug commands to see if there's any "action" for the tunnel.
01-11-2018 07:55 AM
If logging is enabled on your 2801 (and I would suggest that for this issue you might want to set the severity level to debug) then you might look at the logs and see if that identifies any issue. The suggestion from Joseph about running crypto debugs is good and I would suggest using some show crypto commands to see if the ISAKMP negotiation was successful and whether any IPsec SA was negotiated.
We know very little about how the 2801 is configure. If the original poster would post the config (at least all parts related to interfaces, to NAT, and with crypto) we might get more insight into the issue.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide