05-12-2013 01:44 PM - edited 03-04-2019 07:52 PM
Hello Expert,
currently I have a Cisco 2921 router and I have one active site-to-site VPN connection through the internet.
my question is; how I can create another Ipsec site-to-site VPN connection ? I have to keep the 1st VPN connection active.
much appreciate your support.
05-12-2013 10:19 PM
Hello:
Assuming that this new tunnel terminates on the same local interface as your existing tunnel, you just need to use the same crypto map name that is already in use. For example, if you have a crypto map called 'MYMAP' already in use, add your new phase 2 config using the same name but a higher sequence number.
crypto map MYMAP 10 ipsec-isakmp
descrip This is the existing production VPN
set peer www.xxx.yyy.zzz
set transform-set MYSET
match address 100
crypto map MYMAP 20 ipsec-isakmp
descrip This is the new VPN to be added
set peer aaa.bbb.ccc.ddd
set transform-set MYSET (or a different set)
match address 150
access-list 100 defines your existing site-to-site VPN traffic, and 150 will define the new VPN's traffic. Also, if you are using pre-shared-keys for your tunnels, you would add a key for the new peer. If your existing PSK was defined as:
crypto isakmp key ABCXYZPDQ address www.xxx.yyy.zzz no-xauth
you would add a new entry using your new peer address
crypto isakmp key PASSWORD2 address aaa.bbb.ccc.ddd no-xauth
If the phase 1 policy is the same as the existing tunnel, you do not need to add anything there; if not, you will need to add a new Phase 1 policy with a new sequence number. So, if your original tunnel uses 3DES encryption with an SHA-1 hash, the config would look something like this (SHA is default, so it is not listed):
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
To add another phase 1 policy if your new tunnels requires a different lifetime or an MD-5 hash, for example,
crypto isakmp policy 20
encr 3des
authentication pre-share
hash md5
lifetime 86400
You will not need to change the way that the crypto map is applied to the router interface.
HTH,
Paul
05-13-2013 12:25 PM
Hello Paul,
thanks alot for your prompt advice! much appreciate it.
so far so good, I have one more question; currently I sm using one of the physical interface for the VPN map, and for the next step Iwant to use Tunnel interfaces instead of the physical interface and for both (OLD & NEW) VPNs.
can you help me on this Migration please?
moreover Paul, when i do show run I can find three Tunnel (0, 1 & 10) interfaces.
much appreciate your support.
Best Regards,
Hardi
05-13-2013 04:49 PM
Hi Hardi-
Are you saying that you already have three tunnel interfaces configured, but they are not being used? If so, you can just delete them.
Everything above stays the same -- you just need to add two tunnel interfaces, which I'll call 100 and 200 in the example below. The only interesting thing to note is the private IP addresses that I used in the example below for the tunnel interfaces. The other end of the tunnel will need to have corresponding addresses
crypto isakmp key peeronepassword address aaa.bbb.ccc.ddd
crypto isakmp key peertwopassword address www.xxx.yyy.zzz
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
crypto map MYMAP 100 ipsec-isakmp
description To Peer One
set peer aaa.bbb.ccc.ddd
set transform-set MYSET
match address PEER_ONE_ACL
crypto map CRX_MAP 200 ipsec-isakmp
description To Peer Two
set peer www.xxx.yyy.zzz
set transform-set MYSET
match address PEER_TWO_ACL
interface Tunnel100
description Tunnel to Peer One
ip address 10.0.0.1 255.255.255.252
ip mtu 1440
keepalive 2 3
tunnel source GigabitEthernet0/2
tunnel destination aaa.bbb.ccc.ddd
!
interface Tunnel200
description Tunnel to Peer Two
ip address 10.0.0.5 255.255.255.252
ip mtu 1440
keepalive 2 3
tunnel source GigabitEthernet0/2
tunnel destination www.xxx.yyy.zzz
interface GigabitEthernet0/2
description Outboud Interface
ip address bbb.ccc.ddd.eee 255.255.255.252
crypto map MYMAP
Let me know if that helps,
Paul
05-14-2013 03:01 AM
Hello Paul,
thanks alot for your prompt reply.
I will apply your above configuration in a few coming days, and I will let you know about the result.
1 question please; i wonder to know if the end-users have the ability to get access to both VPNs simultaneously?
many thanks,
Harid
05-14-2013 07:37 AM
Hardi-
I should have mentioned that in this setup, you are running your encryption through GRE tunnels, and as such you will need to have routing in place to access the nodes at the ends of the tunnels.
The ACLs allow for GRE to set up the tunnels. So, the ACL's would look like this:
access-list extended PEER_ONE_ACL permit gre host bbb.ccc.ddd.eee host aaa.bbb.ccc.ddd
access-list extended PEER_TWO_ACL permit gre host bbb.ccc.ddd.eee host www.xxx.yyy.zzz
Once the tunnels are up, you can either put static routes in place on both sides - your router and the peer router, to reach the networks that you require, or you can run a dynamic routing protocol such as BGP or OSPF through the tunnel.
If you need help with this, please respond with a list the subnets on both sides or preferably a diagram that includes this info, and I will be happy to help you.
To answer your question above, yes, your users will be able to access nodes through both tunnel simultaneously. If you have a requirement that nodes on the far ends of both tunnels be able to talk to eachother, it is not as straightforward, and we need to add some additional configuration.
Paul
05-14-2013 12:35 PM
Hello paul,
thanks alot for your support.
I send you my topology of my network as well as the subnets of both ends.
God bless you. much appreciate your support.
Best Regards,
Hardi
05-15-2013 04:24 AM
Hello Paul,
currently I am facing some issue in my current VPN can you help me please in resolving?
below are some messages:
- %CRYPTO-4-IKMP_NO_SA: IKE message from (Pub IP address) has no SA and is not an initialization offer.
- %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=MY PUB IP ADDRESS, prot=50, spi=0xE8798B55(3900279637), srcaddr=PEER PUB IP ADDRESS, input interface=GigabitEthernet0/0.
if it is posible to help me in improving and optiimazing security 7 VPN configuration on my route 2921 ISR.
regarding the above information I will caome back to you soon.
Much appreciate your support and dedicated effort.
Many thnaks,
Hardi
05-15-2013 07:49 AM
Hardi-
Please post your entire config, with any sensitive information removed. I will try to help.
thanks,
Paul
05-15-2013 08:32 AM
hello Paul,
I attached a ocopy of my router configuration please have a reivew and please let me know about the weak points in the configuration.
Many thnkas,
Hardi
2921_router#show running-config
Building configuration...
Current configuration : 9178 bytes
!
!
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 2921_router
!
boot-start-marker
boot config usbflash1:ZTD-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200
logging console critical
!
no aaa new-model
!
clock timezone PCTime 3 0
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool data-pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 4.2.2.2 8.8.8.8
lease 0 2
!
!
no ip bootp server
no ip domain lookup
ip domain name hts.com
login block-for 120 attempts 2 within 60
!
multilink bundle-name authenticated
!
!
!
!
username user privelge 15 secret password
!
voice-card 0
!
!
!
!
!
!
!
hw-module pvdm 0/0
!
!
redundancy
!
!
!
!
ip tcp synwait-time 10
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key KEY123 address (PEER Pub.IP)
!
crypto ipsec security-association idle-time 28800
!
crypto ipsec transform-set VPN1 esp-3des esp-sha-hmac
!
crypto map KK 1 ipsec-isakmp
description "FOR HQ SERVER CONNECTION"
set peer (PEER Pub.IP)
set security-association lifetime seconds 28800
set transform-set VPN1
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
2921_router shutdown
!
interface GigabitEthernet0/0
description "ES_WAN_FW_OUTSIDE"
no ip dhcp client request tftp-server-address
ip address (My PUb. IP ADDRESS)
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map KK
!
interface GigabitEthernet0/1
description description "ETH-SW-LAUNCH_INTF-Gig0/0-HWIC NMCSW1"
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/0/0
ip address 10.10.10.1 255.255.255.248
2921_router no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
!ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 int gig 0/0
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit ip any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit udp any any eq isakmp
access-list 102 permit udp any eq isakmp any
access-list 102 permit esp any any
access-list 102 permit icmp any any
access-list 102 permit udp any eq bootps any eq bootpc
access-list 102 permit tcp any any
access-list 102 permit udp any any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit tcp any eq 443 any
access-list 102 permit ip any any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
!
no cdp run
!
!
!
!
!
control-plane
!
!
voice-port 0/1/0
!
2921_routervoice-port 0/1/1
!
voice-port 0/1/2
!
voice-port 0/1/3
!
voice-port 0/2/0
!
voice-port 0/2/1
!
voice-port 0/2/2
!
voice-port 0/2/3
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
exec-timeout 3 0
privilege level 15
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
05-19-2013 05:51 PM
Hardi-
I apologize for my absence - I was away for a few days.
Looking quickly at the above config, I see no major problems. Is your tunnel up and passing traffic right now?
Also, what is your reason for converting this config to use GRE tunnels? Do you have the requirement to run a routing protocol between sites?
Paul
by the way, this is a good link for securing your router: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
05-25-2013 01:07 PM
Hello Paul,
sorry for my absens, too.
currently the tunnel is UP. but most of the time there is no ISAKMP SA state, in the meantime I have a VPN connection between the two peers, and passing traffic.
now I want to make another VPN Site to site connection and I mentioned perviously, by then my router will have a VPN connection to two dofferent routers and in different location.
regarding the above configuration I think it is not quite strong depending in my opinion. and I 'd like to add more security option to it.
many thanks in advance,
Hardi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide