Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1542
Views
0
Helpful
1
Replies

IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map

ar
Level 1
Level 1

‎07-09-2012 07:26 PM - edited ‎02-21-2020 06:11 PM

Hi.

I am trying to setup a dynamic IPSEC VPN.

Setup is;

- one 7200 as VPN concentrator

- mulitple remote CPE connected via 3G Internet doing IPSEC with the concentrator

Objectives are:

- Remote CPE to another remote CPE traffic

- Remote CPE to 7200 VPN Concentrator local LAN

crypto dynamic-map custC-map 10

set transform-set IPSEC

set isakmp-profile custC-profile

match address 104

crypto dynamic-map custC-map 20

set transform-set IPSEC

set isakmp-profile custC-profile

match address 105

crypto dynamic-map custC-map 30

set transform-set IPSEC

set isakmp-profile custC-profile

match address 106

crypto dynamic-map custC-map 40

set transform-set IPSEC

set isakmp-profile custC-profile

match address 108

crypto dynamic-map custC-map 50

set transform-set IPSEC

set isakmp-profile custC-profile

match address 109

local LAN

My config is a single Phase 1, but mulitple Phase 2.

Is it possible to have inter-site traffic via the hub using the same IPSEC phase1?

My simulation in GNS3 is intermittent when traffic is inter-site.

But when traffic is from the tunnel to a local destination within the concentrator, it works fine.

VPN Concentrator Config:

crypto keyring custC-key vrf FVRF-C

  pre-shared-key address 0.0.0.0 0.0.0.0 key customerC

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp profile custC-profile

   vrf VRF-C

   keyring custC-key

   match identity address 0.0.0.0 FVRF-C

crypto dynamic-map custC-map 10

set transform-set IPSEC

set isakmp-profile custC-profile

match address 104

crypto dynamic-map custC-map 20

set transform-set IPSEC

set isakmp-profile custC-profile

match address 105

crypto dynamic-map custC-map 30

set transform-set IPSEC

set isakmp-profile custC-profile

match address 106

crypto dynamic-map custC-map 40

set transform-set IPSEC

set isakmp-profile custC-profile

match address 108

crypto dynamic-map custC-map 50

set transform-set IPSEC

set isakmp-profile custC-profile

match address 109

Problem: Remote CPE to another Remote CPE LAN-to-LAN ping test is intermittent.

Is this  setup possible? OR has to be a totally different ipsec tunnel per CPE to work?

Comments?

thanks

1 person had this problem
Labels:
0 Helpful
1 Reply 1

alanwright1
Level 1
Level 1

‎09-17-2013 08:32 AM

Anyone got any ideas why spoke to spoke is intermittent?

0 Helpful
Customers Also Viewed These Support Documents