cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
250
Views
0
Helpful
3
Replies

ipsec-vpn question

sunil-koul
Beginner
Beginner

Please suggest

I have 1  interface FastEthernet0/1 which has public ip and connected to 2mb internet link.I want to create multiple vpn sessions with different peers having public ips.so I am creating multiple crypto maps with seq number and applying it to fasthernet0/1.please see below.

first defining policy

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

then defining

crypto isakmp key

then crypto ipsec transform-set

and then

crypto map name seq no ipsec-isakmp

match the access-list

set the group

and finally apply crypto map to fastethernet0/1

will it create multiple sessions with different peers?

Also need to knw in which cases we need to create interface tunnels

please respond

3 Replies 3

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

I believe that you understand this but I will point it out explicitly just in case it is not clear - an interface can have only one crypto map applied. So if you have one interface and you want to have multiple sessions then you have one crypto map with multiple instances. So if you have something like this

crypto map demo_map 10 ipsec-isakmp

match some access list

set some peer

crypto map demo_map 20 ipsec-isakmp

match some other access list

set some other peer

crypto map demo_map 30 ipsec-isakmp

match some other access list

set some other peer

crypto map demo_map 40 ipsec-isakmp

match some other access list

set some other peer

and you then apply demo_map to the FastEthernet interface then it would bring up 4 VPN sessions.

This configuration will send IP unicast traffic through the VPN sessions. If you need to send multicast traffic, or if you want to run a dynamic routing protocol between the peers then you would need to configure tunnels.

HTH

Rick

HTH

Rick

nkarthikeyan
Rising star
Rising star

Hi Sunil,

You can create multiple VPN peers and pointed to your WAN/ISP connecting interface. That should not be the problem. The tunnel interface you need to create when you have the GRE based VPN in place.

You can refer the below cisco document which shows the required scneario.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

Please do rate and mark this as answered if it helps.

By

Karthik

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

In addition to the GRE use-case that Karthik mentioned, you should use tunnel-interfaces when the peer is also an IOS-router. Then you can configure virtual Tunnel interfaces (VTI) that are much easier to handle then the crypto maps:

http://www.cisco.com/en/US/partner/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers