Solved: Multiple crypto Maps on same interface in IOS - Site-to-Site VPN between Router and ASA

Andre Liverod · ‎01-03-2017

I am working on a project where i need to create VPN site-to-site tunnels between an IOS Router and multiple ASA firewalls. This is very easy to do between ASAs but I am struggling a bit to get this to work as easily between IOS and ASA, and DMVPN is out of the question here. I have come so far as to getting one link up between two SITE A and SITE B.

I thought i could just create one more crypto map and map it to the same interface to link up SITE A and SITE C. As you probably understand this does not work as adding this crytpo map on the same interface overwrites the other one. Im struggeling to find information to do this correctly with the current setup I have. VPN on IOS is not my strong side and im struggeling a bit with the guides. Could anyone take a look on this config and tell me how I should do this?

I will provide the config that works today first and the rest is what i thought i could do, but as soon as i applied the crypto map i noticed that the first one disappeared.

! TODAYS WORKING VPN TUNNEL SITE_A TO SITE_B
! ****************************************************************
crypto ipsec transform-set IPSEC_TSET1 esp-aes 256 esp-sha-hmac
mode tunnel

crypto ikev2 proposal IKEv2_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy IKEv2_POLICY
proposal IKEv2_PROPOSAL
!
crypto ikev2 keyring IKEv2_KEYRING_SITE_B
peer B.B.B.B
address B.B.B.B
pre-shared-key fjyd4gni
!
!
crypto ikev2 profile IKEv2_SITE_B
match address local A.A.A.A
match identity remote address B.B.B.B 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING_SITE_B

ip access-list extended SITE_A_SITE_B_CRYPTO
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255

!
crypto map IKEv2_MAP_SITE_B 1000 ipsec-isakmp
set peer B.B.B.B
set transform-set IPSEC_TSET1
set ikev2-profile IKEv2_SITE_B
match address SITE_A_SITE_B_CRYPTO

! NAT EXEMPT CONFIG
ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload

route-map NONAT permit 10
match ip address 110

access-list 110 remark NAT exemption access-list
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 permit ip 10.0.2.0 0.0.0.255 any

interface GigabitEthernet0/0
crypto map IKEv2_MAP_SITE_B

! WHAT I TOUGHT I COULD DO: ADDING A ADDTIONAL TUNNEL SITE_A TO SITE_C BY JUST COPYING THE FIRST CONFIG
! *****************************************************************************************************************************************************

crypto ikev2 keyring IKEv2_KEYRING_SITE_C
peer C.C.C.C
address C.C.C.C
pre-shared-key xxx
!
!
crypto ikev2 profile IKEv2_SITE_C
match address local A.A.A.A
match identity remote address C.C.C.C 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING_SITE_C

ip access-list extended SITE_A_SITE_C_CRYPTO
permit ip 10.0.2.0 0.0.0.255 10.0.20.0 0.0.0.255

!
crypto map IKEv2_MAP_SITE_C 1000 ipsec-isakmp
set peer C.C.C.C
set transform-set IPSEC_TSET1
set ikev2-profile IKEv2_SITE_C
match address SITE_A_SITE_C_CRYPTO

ip nat inside source route-map NONAT interface GigabitEthernet0/0 overload

access-list 110 remark NAT exemption access-list
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.20.0 0.0.0.255
access-list 110 permit ip 10.0.2.0 0.0.0.255 any

interface GigabitEthernet0/0
crypto map IKEv2_MAP_SITE_C

Karsten Iwen · ‎01-03-2017

For each remote site you have to use one sequence in your crypto-map. In one sequence (1000) you define all parameters that are for site-B, in an additional sequence (e.g. 1010) you define all parameters for site-C.

View solution in original post

Karsten Iwen · ‎01-03-2017

For each remote site you have to use one sequence in your crypto-map. In one sequence (1000) you define all parameters that are for site-B, in an additional sequence (e.g. 1010) you define all parameters for site-C.