06-20-2016 12:57 AM - edited 03-05-2019 04:15 AM
Hi,
I am have asr 1004 "asr1000rp1-adventerprisek9.03.03.01.S.151-2.S1.bin"
Today I have Ipsec VPN which works on wan interface, i need to add one more ipsec vpn.
Can i use two ipsec (crypto msp) on the same interface ?
current configuration:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address xxxxxxx
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set xxx-vpn esp-3des esp-md5-hmac
!
crypto map xxxxxxx 1 ipsec-isakmp
set peer xxxxxxx
set security-association lifetime seconds 7200
set transform-set xxxx
match address xxxx
interface TenGigabitEthernet1/1/0.2201
crypto map xxxxx
ip access-list extended xxxxx
permit ip host xxxxxxx host xxxxxx log
permit ip host xxxxx host xxxxxx
06-20-2016 01:34 AM
you should be able to do the following.
crypto map xxxxxxx 2 ipsec-isakmp - Create another isakmp profile with crypto map name and different number
set peer xxxxxxx - Define second peer IP
set security-association lifetime seconds 7200 - this is optional
set transform-set xxxx - you can use same transform set or define new one and refer here.
match address xxxx - you can refer same ACL or define new one and refer here.
And make sure there is following line for the new peer IP address.
crypto isakmp key xxxxxxxxx address xxxxxxx
Rest all should be same.
Hope this helps.
Regards,
Sheshu.
06-20-2016 02:01 AM
Hi,
If i understood you this should be my second ipsec configuration.
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set yyyy esp-3des esp-md5-hmac
crypto isakmp key 12345 address x.x.x.x
crypto map new-vpn 2 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime seconds 7200
set transform-set yyyy
match address new-acl
But now i need to "put" the second crypto map on the same wan interface, is it possible ?
interface TenGigabitEthernet1/1/0.2201
crypto map first-ipsec
crypto map second-ipsec
or you meant ?
crypto map old-vpn-name 2 ipsec-isakmp
set peer new-peer-ip
set security-association lifetime seconds 7200
set transform-set new
match address new-acl
crypto isakmp key 12345 address new-peer-ip
interface TenGigabitEthernet1/1/0.2201
crypto map old-vpn-name
what about the crypto isakmp policy ? is it the same for both ipsec ?
Thanks for the quick response
06-20-2016 04:13 AM
this is what I meant.
crypto map old-vpn-name 2 ipsec-isakmp
set peer new-peer-ip
set security-association lifetime seconds 7200
set transform-set new
match address new-acl
crypto isakmp key 12345 address new-peer-ip
interface TenGigabitEthernet1/1/0.2201
crypto map old-vpn-name
what about the crypto isakmp policy ? is it the same for both ipsec ? yes, it would be same both IPSEC.
hope this helps.
Regards,
Sheshu.
06-20-2016 04:31 AM
Hi Sheshu,
I will try this.
thank you very much :)
06-20-2016 06:46 AM
Hi,
Sorry the requirements changed, I'll be grateful if you can answer me.
I need to use different isakmp policy because the ipsec vpn 2 has different requirements
1.)as far as i know crypto isakmp policy zz the zz is priority number, can i have two isakmp ?
2.) See attached full configuration of both ipsec, can it work this way ?
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
06-20-2016 06:49 AM
yes, you can do this as well as far as I know.
What happens is router will look at peer isakmp settings and will compare to own policies one by one and find for a exact match. If match is found, it will go further and create tunnel and otherwise not.
Regards,
Sheshu.
06-20-2016 06:54 AM
Thanks again,
i'll try in a few days and let you know.
Regards
Rafi
06-23-2016 07:36 AM
Hi,
It seems that the solution is correct, but unfortunately after a conversation with the operator, turned out that they forgot to tell me that azure work only with Ipsec route base ( vti tunnel).
My question is if I have already Policy base peer in my router, Is there a problem working with the same router both ipsec mode policy-base and route-base ?
Regards
Rafi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide