cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
500
Views
10
Helpful
6
Replies

Ipsec Vpn with two loopback coming on same interface

ashley_dew
Beginner
Beginner

Hello,

 

i have a scenario with a router with an internet line with two public ip addresses routed on it.

I want to create two different vpns on the two loopbacks with the same remote peer for different types of traffic.

 

The problem is that only one crypto map applies to the WAN interface and I can only apply one source loopback.

I wanted to know if there is a possible solution.

thanks,

Ashley

 

 

1 Accepted Solution

Accepted Solutions

Hello Daniel,

 

I am read the flexvpn on Cisco Live and the explanation was not straight forward.

 

Your config is simple to follow and is suitable. I will definitely test it.

 

thanks,

 

View solution in original post

6 Replies 6

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

crypto maps are considered, sort of, legacy. Why don't you configure VTIs and tunnel interfaces ?

 

Can you post the running configs of both peers ?

My experience is that when using crypto maps trying to have 2 separate vpn to the same remote peer does not work. I have not tried 2 separate VTI to the same peer but that would seem to be your best option.

HTH

Rick

Hello George,

i agree the VTI would be the prefered solution with a full cisco solution.

 

Unfortunately, these are third party companies wher we do not have control on config and equipment.

Some third party endpoint support VTI but not all.

 

But agreed, VTI is the best solution if internal prganisation.

 

MHM Cisco World
Advisor
Advisor

follow

Dan Frey
Cisco Employee
Cisco Employee

Attached is an example of using flexvpn hub and client.   The flex client has 49 IKEv2 sessions to the hub.   This was used in a lab to simulate multiple IKEv2 clients going to a flexvpn hub but could be scaled back for your use case as well.   The 192.168.77.X addresses (in the config below) are loopbacks interfaces on the client that represent the IKEv2 endpoint and tunnel source address.   This solution passed most of the attributes over RADIUS.  If you are not using RADIUS then local attributes may need to be added to the config.

 

lab-csr7#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 
          
Tunnel-id Local                 Remote                fvrf/ivrf            Status 
34        192.168.77.35/500     10.64.1.203/500       none/MGMT-OVERLAY3   READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1320 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
18        192.168.77.31/500     10.64.1.203/500       none/MGMT-OVERLAY3   READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1324 sec

Hello Daniel,

 

I am read the flexvpn on Cisco Live and the explanation was not straight forward.

 

Your config is simple to follow and is suitable. I will definitely test it.

 

thanks,

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: