Solved: Re: Second VPN connection

Tazio4436 · ‎06-20-2019

Hi,

I am testing a new network and I need to create a site to Site VPN connection.

My production network already has a Site to Site VPN connection.

Site 1 has a Cisco 2911.with Lan 10.88.X.X/24 and 192.168.1.0/24

Site 2 has a Meraki with Lan 10.35.X.X

The VPN between these 2 site are working fine and they are the production site.

Now on site 2 I have another Meraki but Lan is 10.21.X.X.

I want to create a VPN between the second Meraki on site 2 and site 1.

Note that site 1 has 1 ISP and site 2 has 2 ISP and each Meraki have 1 different ISP.

I have configured the Meraki on site 2 and did some basic configuration on cisco 2911 on site 1 but now i am not sure if I can add some more commands on the outside interface as it has already beren configured with some commands for VPN 1.

Please see attached drawing for more information.

Some input will be highly appreciated from anyone.

Thanks

Tazio

omz · ‎06-20-2019

Hi

Use the same crypto map already on the outside interface. You can add another numbered entry to the crypto map with different transform-sets and match ACLs.

crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 2.2.2.1
set transform-set TSET

crypto map CMAP 20 ipsec-isakmp
match address 102
set peer 3.3.3.1
set transform-set TSET2

https://community.cisco.com/t5/vpn-and-anyconnect/multiple-crypto-maps-on-single-outside-interface/td-p/2373092

https://community.cisco.com/t5/vpn-and-anyconnect/multiple-vpn-and-crypto-maps/td-p/1830689

Hope this helps.

View solution in original post

Giuseppe Larosa · ‎06-20-2019

Hello Tazio,

the crypto map applied to the outgoing interface on the C2911 can use multiple clauses / blocks.

Each block refers an IPSec peer that must be different and an ACL that must be different and allows traffic from internal subnets to a different destination.

The transform sets can be the same or different.

each crypto map block has a sequence number and they are processed in order

Hope to help

Giuseppe

View solution in original post

Tazio4436 · ‎06-21-2019

Hi,

This is what i added on the Cisco 2911.

There is no issue on the Meraki side.

!

crypto isakmp policy 20

enr aes

authentication pre-share

crypto isakmp key VPNKEY address 38.32.57.158

!

crypto map VPNSET 20 ipsec-isakmp
! Incomplete======>I don't know what is missing ?
set peer 38.32.57.158
set transform-set VPNSET
match address 105

!

crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
mode tunnel

!

This is what I have on the outside int of the Cisco 2911

interface GigabitEthernet0/1
description OUTSIDE
ip address 216.123.3.30 255.255.255.240
ip access-group OUTSIDE_IN in
ip mtu 1492
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
end

What I wanted to add on the outside interface are:

crypto isakmp VPNSET

access-list 105 permit ip 10.88.0.0 0.0.0.255 10.21.0.0 0.0.7.255

!

already have ip route as ip route 0.0.0.0 0.0.0.0 216.123.3.17

Your help will be much appreciated.

Thanks

Tazio

View solution in original post

Giuseppe Larosa · ‎06-21-2019

Hello Tazio,

my understanding was that you had already a crypto map applied to the outgoing interface and you just wanted to add a second block/clause the existing crypto map.

Can you confirm what is the scenario ? the first VPN connection is exiting the same interface or another interface on your side? The network diagram makes me think you have both VPNs terminated on IP 216.123.3.30.

if so the crypto map should be already applied to your outgoing interface and you are just adding a second block for Meraki2 device.

Please note that the access-list OUTSIDE_IN may need to be updated to allow traffic coming from host Meraki2 38.32.57.158.

Can you post the configuration of both blocks of the crypto map?

Hope to help

Giuseppe

View solution in original post

Tazio4436 · ‎06-24-2019

Hi Thank you very much for your support and help.

Both Meraki (Production and Test) will need to create VPN with same and single interface on Cisco 2911 which is the interface GigabitEthernet0/1.

The Lan blocks for the side where the Cisco 2911 are 10.88.0.0/24 and 192.168.1.0/24.

The Lan side for the Production Meraki is 10.35.8.0/22

The Lan side for the TEST Meraki is 10.21.64.0/21.

Please see attaced the show run for Cisco 2911.

Thanks

Tazio

View solution in original post

Giuseppe Larosa · ‎06-24-2019

Hello Tazio,

OK I report here the current crypto map configuration

crypto map remap 1 ipsec-isakmp
set peer 184.94.68.98
set security-association lifetime seconds 28800
set transform-set VPN-MY-Meraki
set isakmp-profile VPN_565-Meraki
match address NETWORK_88-565
reverse-route
crypto map remap 10 ipsec-isakmp dynamic remap

You need to add a second block before the final line with all parameters related to the TEST meraki

crypto map remap 5 ipsec-isakmp
set peer 38.32.57.158
set security-association lifetime seconds 28800
set transform-set VPN-MY-Meraki
set isakmp-profile VPN_Meraki_Test
match address NETWORK_to_TEST_Meraki

reverse-route

!

define all the needed object before the ACL NETWORK_to_TEST_Meraki and the isakmp-profile and crypto key-ring.

crypto keyring VPN-Meraki_Test
pre-shared-key address 38.32.57.158 key <test-password>
!
!

crypto isakmp profile VPN_Meraki_Test
keyring VPN-Meraki_Test
match identity address 38.32.57.158 255.255.255.255
!

And the ACL

ip access-list extended NETWORK_to_TEST_Meraki
permit ip 10.88.0.0 0.0.0.255 10.21.64.0 0.0.7.255

permit ip 192.168.1.0 0.0.0.255 10.21.64.0 0.0.7.255

Hope to help

Giuseppe

View solution in original post

omz · ‎06-20-2019

Hi

Use the same crypto map already on the outside interface. You can add another numbered entry to the crypto map with different transform-sets and match ACLs.

crypto map CMAP 10 ipsec-isakmp
match address 101
set peer 2.2.2.1
set transform-set TSET

crypto map CMAP 20 ipsec-isakmp
match address 102
set peer 3.3.3.1
set transform-set TSET2

https://community.cisco.com/t5/vpn-and-anyconnect/multiple-crypto-maps-on-single-outside-interface/td-p/2373092

https://community.cisco.com/t5/vpn-and-anyconnect/multiple-vpn-and-crypto-maps/td-p/1830689

Hope this helps.

Giuseppe Larosa · ‎06-20-2019

Hello Tazio,

the crypto map applied to the outgoing interface on the C2911 can use multiple clauses / blocks.

Each block refers an IPSec peer that must be different and an ACL that must be different and allows traffic from internal subnets to a different destination.

The transform sets can be the same or different.

each crypto map block has a sequence number and they are processed in order

Hope to help

Giuseppe

Tazio4436 · ‎06-21-2019

Hi,

This is what i added on the Cisco 2911.

There is no issue on the Meraki side.

!

crypto isakmp policy 20

enr aes

authentication pre-share

crypto isakmp key VPNKEY address 38.32.57.158

!

crypto map VPNSET 20 ipsec-isakmp
! Incomplete======>I don't know what is missing ?
set peer 38.32.57.158
set transform-set VPNSET
match address 105

!

crypto ipsec transform-set VPNSET esp-aes esp-sha-hmac
mode tunnel

!

This is what I have on the outside int of the Cisco 2911

interface GigabitEthernet0/1
description OUTSIDE
ip address 216.123.3.30 255.255.255.240
ip access-group OUTSIDE_IN in
ip mtu 1492
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
end

What I wanted to add on the outside interface are:

crypto isakmp VPNSET

access-list 105 permit ip 10.88.0.0 0.0.0.255 10.21.0.0 0.0.7.255

!

already have ip route as ip route 0.0.0.0 0.0.0.0 216.123.3.17

Your help will be much appreciated.

Thanks

Tazio

Giuseppe Larosa · ‎06-21-2019

Hello Tazio,

my understanding was that you had already a crypto map applied to the outgoing interface and you just wanted to add a second block/clause the existing crypto map.

Can you confirm what is the scenario ? the first VPN connection is exiting the same interface or another interface on your side? The network diagram makes me think you have both VPNs terminated on IP 216.123.3.30.

if so the crypto map should be already applied to your outgoing interface and you are just adding a second block for Meraki2 device.

Please note that the access-list OUTSIDE_IN may need to be updated to allow traffic coming from host Meraki2 38.32.57.158.

Can you post the configuration of both blocks of the crypto map?

Hope to help

Giuseppe

Tazio4436 · ‎06-24-2019

Hi Thank you very much for your support and help.

Both Meraki (Production and Test) will need to create VPN with same and single interface on Cisco 2911 which is the interface GigabitEthernet0/1.

The Lan blocks for the side where the Cisco 2911 are 10.88.0.0/24 and 192.168.1.0/24.

The Lan side for the Production Meraki is 10.35.8.0/22

The Lan side for the TEST Meraki is 10.21.64.0/21.

Please see attaced the show run for Cisco 2911.

Thanks

Tazio

Giuseppe Larosa · ‎06-24-2019

Hello Tazio,

OK I report here the current crypto map configuration

crypto map remap 1 ipsec-isakmp
set peer 184.94.68.98
set security-association lifetime seconds 28800
set transform-set VPN-MY-Meraki
set isakmp-profile VPN_565-Meraki
match address NETWORK_88-565
reverse-route
crypto map remap 10 ipsec-isakmp dynamic remap

You need to add a second block before the final line with all parameters related to the TEST meraki

crypto map remap 5 ipsec-isakmp
set peer 38.32.57.158
set security-association lifetime seconds 28800
set transform-set VPN-MY-Meraki
set isakmp-profile VPN_Meraki_Test
match address NETWORK_to_TEST_Meraki

reverse-route

!

define all the needed object before the ACL NETWORK_to_TEST_Meraki and the isakmp-profile and crypto key-ring.

crypto keyring VPN-Meraki_Test
pre-shared-key address 38.32.57.158 key <test-password>
!
!

crypto isakmp profile VPN_Meraki_Test
keyring VPN-Meraki_Test
match identity address 38.32.57.158 255.255.255.255
!

And the ACL

ip access-list extended NETWORK_to_TEST_Meraki
permit ip 10.88.0.0 0.0.0.255 10.21.64.0 0.0.7.255

permit ip 192.168.1.0 0.0.0.255 10.21.64.0 0.0.7.255

Hope to help

Giuseppe

Tazio4436 · ‎07-08-2019

Hi,
Thank you very much for your support.
I did not configure the new VPN connection yet but will do it soon and I will let you know about the outcome.

Thanks and regards
Tazio