Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
911
Views
0
Helpful
8
Replies

Ipsec on ASR 1004

Rafi Shemesh
Level 1
Level 1

‎06-20-2016 12:57 AM - edited ‎03-05-2019 04:15 AM

Hi,

I am have asr 1004 "asr1000rp1-adventerprisek9.03.03.01.S.151-2.S1.bin"

Today I have Ipsec VPN which works on wan interface, i need to add one more ipsec vpn.

Can i use two ipsec (crypto msp) on the same interface ?

current configuration:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address xxxxxxx
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set xxx-vpn esp-3des esp-md5-hmac
!
crypto map xxxxxxx 1 ipsec-isakmp
set peer xxxxxxx
set security-association lifetime seconds 7200
set transform-set xxxx
match address xxxx

interface TenGigabitEthernet1/1/0.2201
crypto map xxxxx

ip access-list extended xxxxx
permit ip host xxxxxxx host xxxxxx log
permit ip host xxxxx host xxxxxx

Labels:
0 Helpful
8 Replies 8

nagasheshu2010
Level 1
Level 1

‎06-20-2016 01:34 AM

you should be able to do the following.

crypto map xxxxxxx 2 ipsec-isakmp - Create another isakmp profile with crypto map name and different number


set peer xxxxxxx - Define second peer IP


set security-association lifetime seconds 7200 - this is optional


set transform-set xxxx - you can use same transform set or define new one and refer here.


match address xxxx - you can refer same ACL or define new one and refer here.

And make sure there is following line for the new peer IP address.

crypto isakmp key xxxxxxxxx address xxxxxxx

Rest all should be same.

Hope this helps.

Regards,

Sheshu.

0 Helpful

Rafi Shemesh
Level 1
Level 1
In response to nagasheshu2010

‎06-20-2016 02:01 AM

Hi,

If i understood you this should be my second ipsec configuration.

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set yyyy esp-3des esp-md5-hmac

crypto isakmp key 12345 address x.x.x.x

crypto map new-vpn 2 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime seconds 7200
set transform-set yyyy
match address new-acl

But now i need to "put" the second crypto map on the same wan interface, is it possible ?

interface TenGigabitEthernet1/1/0.2201
crypto map first-ipsec

crypto map second-ipsec

or you meant ?

crypto map old-vpn-name 2 ipsec-isakmp
set peer new-peer-ip
set security-association lifetime seconds 7200
set transform-set new
match address new-acl

crypto isakmp key 12345 address new-peer-ip

interface TenGigabitEthernet1/1/0.2201
crypto map old-vpn-name

what about the crypto isakmp policy ? is it the same for both ipsec ?

Thanks for the quick response

0 Helpful

nagasheshu2010
Level 1
Level 1
In response to Rafi Shemesh

‎06-20-2016 04:13 AM

this is what I meant.

crypto map old-vpn-name 2 ipsec-isakmp
set peer new-peer-ip
set security-association lifetime seconds 7200
set transform-set new
match address new-acl

crypto isakmp key 12345 address new-peer-ip

interface TenGigabitEthernet1/1/0.2201
crypto map old-vpn-name

what about the crypto isakmp policy ? is it the same for both ipsec ? yes, it would be same both IPSEC.

hope this helps.

Regards,

Sheshu.

0 Helpful

Rafi Shemesh
Level 1
Level 1
In response to nagasheshu2010

‎06-20-2016 04:31 AM

Hi Sheshu,

I will try this.

thank you very much :)

0 Helpful

Rafi Shemesh
Level 1
Level 1
In response to nagasheshu2010

‎06-20-2016 06:46 AM

Hi,

Sorry the requirements changed, I'll be grateful if you can answer me.

I need to use different isakmp policy because the ipsec vpn 2 has different requirements

1.)as far as i know crypto isakmp policy zz the zz is priority number, can i have two isakmp ?

2.) See attached full configuration of both ipsec, can it work this way ?

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html

Preview file
2 KB
0 Helpful

nagasheshu2010
Level 1
Level 1
In response to Rafi Shemesh

‎06-20-2016 06:49 AM

yes, you can do this as well as far as I know.

What happens is router will look at peer isakmp settings and will compare to own policies one by one and find for a exact match. If match is found, it will go further and create tunnel and otherwise not.

Regards,

Sheshu.

0 Helpful

Rafi Shemesh
Level 1
Level 1
In response to nagasheshu2010

‎06-20-2016 06:54 AM

Thanks  again,

i'll try in a few days and let you know.

Regards

Rafi

0 Helpful

Rafi Shemesh
Level 1
Level 1
In response to Rafi Shemesh

‎06-23-2016 07:36 AM

Hi,

It seems that the solution is correct, but unfortunately after a conversation with the operator, turned out that they forgot to tell me that azure work only with Ipsec route base ( vti tunnel).

My question is if I have already Policy base peer in my router, Is there a problem working with the same router both ipsec mode policy-base and route-base ?

Regards

Rafi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card