07-09-2012 07:26 PM - edited 02-21-2020 06:11 PM
Hi.
I am trying to setup a dynamic IPSEC VPN.
Setup is;
- one 7200 as VPN concentrator
- mulitple remote CPE connected via 3G Internet doing IPSEC with the concentrator
Objectives are:
- Remote CPE to another remote CPE traffic
- Remote CPE to 7200 VPN Concentrator local LAN
crypto dynamic-map custC-map 10
set transform-set IPSEC
set isakmp-profile custC-profile
match address 104
crypto dynamic-map custC-map 20
set transform-set IPSEC
set isakmp-profile custC-profile
match address 105
crypto dynamic-map custC-map 30
set transform-set IPSEC
set isakmp-profile custC-profile
match address 106
crypto dynamic-map custC-map 40
set transform-set IPSEC
set isakmp-profile custC-profile
match address 108
crypto dynamic-map custC-map 50
set transform-set IPSEC
set isakmp-profile custC-profile
match address 109
local LAN
My config is a single Phase 1, but mulitple Phase 2.
Is it possible to have inter-site traffic via the hub using the same IPSEC phase1?
My simulation in GNS3 is intermittent when traffic is inter-site.
But when traffic is from the tunnel to a local destination within the concentrator, it works fine.
VPN Concentrator Config:
crypto keyring custC-key vrf FVRF-C
pre-shared-key address 0.0.0.0 0.0.0.0 key customerC
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp profile custC-profile
vrf VRF-C
keyring custC-key
match identity address 0.0.0.0 FVRF-C
crypto dynamic-map custC-map 10
set transform-set IPSEC
set isakmp-profile custC-profile
match address 104
crypto dynamic-map custC-map 20
set transform-set IPSEC
set isakmp-profile custC-profile
match address 105
crypto dynamic-map custC-map 30
set transform-set IPSEC
set isakmp-profile custC-profile
match address 106
crypto dynamic-map custC-map 40
set transform-set IPSEC
set isakmp-profile custC-profile
match address 108
crypto dynamic-map custC-map 50
set transform-set IPSEC
set isakmp-profile custC-profile
match address 109
Problem: Remote CPE to another Remote CPE LAN-to-LAN ping test is intermittent.
Is this setup possible? OR has to be a totally different ipsec tunnel per CPE to work?
Comments?
thanks
09-17-2013 08:32 AM
Anyone got any ideas why spoke to spoke is intermittent?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide