10-03-2012 12:13 PM - edited 03-07-2019 09:15 AM
Please suggest
I have 1 interface FastEthernet0/1 which has public ip and connected to 2mb internet link.I want to create multiple vpn sessions with different peers having public ips.so I am creating multiple crypto maps with seq number and applying it to fasthernet0/1.please see below.
first defining policy
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
then defining
crypto isakmp key
then crypto ipsec transform-set
and then
crypto map name seq no ipsec-isakmp
match the access-list
set the group
and finally apply crypto map to fastethernet0/1
will it create multiple sessions with different peers?
Also need to knw in which cases we need to create interface tunnels
please respond
10-06-2012 01:52 PM
I believe that you understand this but I will point it out explicitly just in case it is not clear - an interface can have only one crypto map applied. So if you have one interface and you want to have multiple sessions then you have one crypto map with multiple instances. So if you have something like this
crypto map demo_map 10 ipsec-isakmp
match some access list
set some peer
crypto map demo_map 20 ipsec-isakmp
match some other access list
set some other peer
crypto map demo_map 30 ipsec-isakmp
match some other access list
set some other peer
crypto map demo_map 40 ipsec-isakmp
match some other access list
set some other peer
and you then apply demo_map to the FastEthernet interface then it would bring up 4 VPN sessions.
This configuration will send IP unicast traffic through the VPN sessions. If you need to send multicast traffic, or if you want to run a dynamic routing protocol between the peers then you would need to configure tunnels.
HTH
Rick
10-07-2012 03:11 AM
Hi Sunil,
You can create multiple VPN peers and pointed to your WAN/ISP connecting interface. That should not be the problem. The tunnel interface you need to create when you have the GRE based VPN in place.
You can refer the below cisco document which shows the required scneario.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml
Please do rate and mark this as answered if it helps.
By
Karthik
10-07-2012 03:19 AM
In addition to the GRE use-case that Karthik mentioned, you should use tunnel-interfaces when the peer is also an IOS-router. Then you can configure virtual Tunnel interfaces (VTI) that are much easier to handle then the crypto maps:
http://www.cisco.com/en/US/partner/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide