Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
4
Replies

IOS Dynamic VPN Setup with Multiple VRFs

gregwoodson
Level 1
Level 1

‎03-02-2017 08:26 AM

I am trying to terminate 2 clients (2 different VRF's) on the same router.  Im having a couple of issues- How do you match each VPN connection (hostname?  user/fqdn?) without using an IP address because each one will have a dynamic IP address- not static. Secondly,  how do I set up the 2nd vpn?  Attached is the working config with the 1 VPN.

Thanks

Greg

crypto keyring preshared
pre-shared-key address 0.0.0.0 0.0.0.0 key password12345
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile Customer1
vrf Customer1
keyring preshared
match identity address 0.0.0.0
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set aes-256-sha esp-aes 256 esp-sha-hmac
!
crypto dynamic-map Customer1Dyn 10
set transform-set aes-256-sha
set pfs group5
set isakmp-profile Customer1
reverse-route
!
!
!
crypto map outsidemap1 local-address Vlan651
crypto map outsidemap1 1000 ipsec-isakmp dynamic Customer1Dyn

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-02-2017 04:47 PM

Change to using IKEv2 instead of IKEv1 (I don't see much point in continuing to use the old IKEv1 if you don't have to).  Then you can match on things like "email" instead of IP address.

crypto ikev2 profile default
  match identity remote email dummy@email.address.com
  ...
0 Helpful

gregwoodson
Level 1
Level 1
In response to Philip D'Ath

‎03-03-2017 07:52 AM

Philip,

We are using a 6506E chassis with a Sup720-3BXL and an SPA-IPSEC-2G module.  It looks like IKEv2 was introduced in IOS v15.X maybe?  Im having trouble finding a version of code that supports both the IKEv2 crypto profile as well as the SPA-IPSEC-2G.  Any Suggestions?

Thanks

Greg

0 Helpful

gregwoodson
Level 1
Level 1
In response to gregwoodson

‎03-03-2017 07:53 AM

According to cisco:  The SPA-IPSEC-2G product has reached End-of-Sale (EoS)/End-of-Life (EoL), and Cisco no longer provides support. Additionally, Cisco no longer allows this module to power up upon boot in Cisco IOS Releases 15.4(1)S and later.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to gregwoodson

‎03-03-2017 12:58 PM

I think it will be very difficult to do what you want with such old equipment.

Next possibility.  Can you put a second IP addresses on the "outside" interface where the VPN will terminate?

0 Helpful
Customers Also Viewed These Support Documents