11-27-2021 10:52 AM
Hello,
i have a scenario with a router with an internet line with two public ip addresses routed on it.
I want to create two different vpns on the two loopbacks with the same remote peer for different types of traffic.
The problem is that only one crypto map applies to the WAN interface and I can only apply one source loopback.
I wanted to know if there is a possible solution.
thanks,
Ashley
Solved! Go to Solution.
11-27-2021 09:32 PM
Hello Daniel,
I am read the flexvpn on Cisco Live and the explanation was not straight forward.
Your config is simple to follow and is suitable. I will definitely test it.
thanks,
11-27-2021 11:25 AM
Hello,
crypto maps are considered, sort of, legacy. Why don't you configure VTIs and tunnel interfaces ?
Can you post the running configs of both peers ?
11-27-2021 11:32 AM
My experience is that when using crypto maps trying to have 2 separate vpn to the same remote peer does not work. I have not tried 2 separate VTI to the same peer but that would seem to be your best option.
11-27-2021 09:29 PM
Hello George,
i agree the VTI would be the prefered solution with a full cisco solution.
Unfortunately, these are third party companies wher we do not have control on config and equipment.
Some third party endpoint support VTI but not all.
But agreed, VTI is the best solution if internal prganisation.
11-27-2021 05:38 PM
follow
11-27-2021 07:10 PM
Attached is an example of using flexvpn hub and client. The flex client has 49 IKEv2 sessions to the hub. This was used in a lab to simulate multiple IKEv2 clients going to a flexvpn hub but could be scaled back for your use case as well. The 192.168.77.X addresses (in the config below) are loopbacks interfaces on the client that represent the IKEv2 endpoint and tunnel source address. This solution passed most of the attributes over RADIUS. If you are not using RADIUS then local attributes may need to be added to the config.
lab-csr7#show crypto ikev2 sa IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 34 192.168.77.35/500 10.64.1.203/500 none/MGMT-OVERLAY3 READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/1320 sec Tunnel-id Local Remote fvrf/ivrf Status 18 192.168.77.31/500 10.64.1.203/500 none/MGMT-OVERLAY3 READY Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/1324 sec
11-27-2021 09:32 PM
Hello Daniel,
I am read the flexvpn on Cisco Live and the explanation was not straight forward.
Your config is simple to follow and is suitable. I will definitely test it.
thanks,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: