Solved: Re: Two VPN Tunnels on serial Interface

CPU4185 · ‎03-24-2011

Hello,

Two Companys want to use one serial Connection beween two routers. The networks 10.28.228.0 and 10.28.229.0 belong to the one company and the networks 10.29.72.0 and 10.29.106.0 to the other company. For separate causes we want to create two VPN Tunnels with IPsec. The max. Bandwith is 2MB/s. The configuration on the serial Subinterfaces it isn't possible to encapsulation ppp in our routers.

Without Subinterfaces and one VPN Tunnel with IPsec on the serial interface with ppp its working fine.

version 12.4

service timestamps debug datetime

service timestamps log datetime

service password-encryption

!

hostname beh2turm

!

boot-start-marker

boot system flash:c1841-advsecurityk9-mz.124-23.bin

boot-end-marker

!

logging buffered 51200 warnings

no logging rate-limit

enable secret 5 ****

!

aaa new-model

!

aaa authentication login conmethod group tacacs+ enable

aaa authentication login vtymethod group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

clock timezone CET 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ip domain name gsta.verwalt-berlin.de

!

crypto pki trustpoint TP-self-signed-3134403343

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3134403343

revocation-check none

rsakeypair TP-self-signed-3134403343

!

crypto pki certificate chain TP-self-signed-3134403343

certificate self-signed 01

30820257 ****

530A9F

quit

archive

log config

hidekeys

!

crypto isakmp policy 12

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 14

encr 3des

hash md5

authentication pre-share

crypto isakmp key halfspeed address 10.29.40.49

crypto isakmp key halfspeed address 10.29.40.17

!

crypto ipsec transform-set encrypt-3des esp-3des

!

crypto map BEH 12 ipsec-isakmp

set peer 10.29.40.17

set transform-set encrypt-3des

match address 130

!

crypto map GB 14 ipsec-isakmp

set peer 10.29.40.49

set transform-set encrypt-3des

match address 150

!

interface FastEthernet0/0

description zum Grundbuch

ip address 10.28.229.1 255.255.255.0

no shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.29.106.240 255.255.255.0

ip helper-address 10.29.80.56

ip helper-address 10.29.80.55

ip directed-broadcast

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

!

interface Serial0/0/0.1

description zur STA

autodetect encapsulation ppp

bandwidth 1500000

ip address 10.29.40.18 255.255.255.252

crypto map BEH

!

interface Serial0/0/0.2

description zum AG

autodetect encapsulation ppp

bandwidth 500000

ip address 10.29.40.50 255.255.255.252

crypto map TUNNEL-GB

!

no ip forward-protocol nd

ip route 10.28.228.0 255.255.255.0 10.29.40.49

ip route 10.29.50.0 255.255.255.0 10.29.40.17

ip route 10.29.60.0 255.255.255.0 10.29.40.17

ip route 10.29.80.0 255.255.254.0 10.29.40.17

ip route 10.29.82.0 255.255.254.0 10.29.40.17

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

logging origin-id hostname

logging 10.29.50.2

!

access-list 130 permit ip any any

access-list 150 permit ip any any

!

snmp-server community public RO

snmp-server community private RW

snmp-server enable traps tty

!

tacacs-server host 10.29.50.2

tacacs-server directed-request

tacacs-server key 7 ****

!

control-plane

!

banner motd ^Geraet mit AAA konfiguriert!^

!

line con 0

exec-timeout 3 0

password 7 ***

login authentication conmethod

line aux 0

line vty 0 4

exec-timeout 20 0

privilege level 15

password 7 ***

login authentication vtymethod

transport input ssh

line vty 5 15

exec-timeout 5 0

privilege level 15

password 7 ***

login authentication vtymethod

transport input ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178612

ntp peer 10.29.40.17

end

Can you help me, how to configure two VPNs over a serial interface (see appendix)?

Best regards,

Matthias

Richard Burts · ‎03-31-2011

Matthias

Unfortunately I do not believe that it is possible to set up 2 separate VPN tunnels running over a single serial interface between the same 2 routers.

Would it be feasible to run a single VPN tunnel to transport traffic for both companies over the serial link. And to use ACL to make sure that a source from company 1 could only access destination of comapny 1?

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-31-2011

Matthias

Unfortunately I do not believe that it is possible to set up 2 separate VPN tunnels running over a single serial interface between the same 2 routers.

Would it be feasible to run a single VPN tunnel to transport traffic for both companies over the serial link. And to use ACL to make sure that a source from company 1 could only access destination of comapny 1?

HTH

Rick

HTH

Rick

CPU4185 · ‎04-01-2011

Hello Rick,

thank you for your answer. I think the solution with ACL is feasible for our subject.

Best Regards

Matthias

Richard Burts · ‎04-01-2011

Matthias

I am glad that my suggestion may point you toward a solution that could work for you. Thank you for marking this question resolved (and thanks for the points). It makes the forum more useful when people can read a question and can know that they will read responses which did point toward a solution. Your marking this question will help other readers to make effective use of this thread in the forum.

HTH

Rick

HTH

Rick