Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1148
Views
0
Helpful
4
Replies

Site-to-site IPSec VPN

Go to solution
fabflorent
Level 1
Level 1

‎07-17-2017 09:17 AM - edited ‎02-21-2020 09:22 PM

Hello,

I have a Cisco 1911 Router with one outside interface. 

I have all ready configured site-to-site VPN tunnel (With IPSEC) between my site and a partner site.

Now I am asked to configure a second VPN tunnel between my router and our HQ site. (Not a backup link, but another link!) 

Is it possible to maintain the first tunnel and build a second tunnel Ipsec Site-to-site VPN on my router Cisco 1911 ?

If not, whitch design and configurations are recommended ?

I attached the first tunnel configuration on Cisco 1911.

On our HQ Site, we have a MikroTic router...

Labels:
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎07-17-2017 10:17 AM

Yes it is possible to maintain the first tunnel and to build a second IPsec tunnel for site to site VPN to a second site (HQ in your case) on your 1911 router. You would configure appropriate encryption parameters for the new tunnel similar to what you configured for your first tunnel. The most important thing to understand about building the new site to site VPN is about the crypto map that you use and specify on the outbound interface. An interface can have only a single crypto map applied. So you do not create a new crypto map but you create a new instance in the existing crypto map. You are currently using sequence number 1 in the existing map

crypto map GMT_BZR 1 ipsec-isakmp

 so for the new instance you might use sequence number 10 (or any number you choose)

crypto map GMT_BZR 10 ipsec-isakmp

and then you configure the other security parameters that you need under the new sequence number.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎07-17-2017 10:17 AM

Yes it is possible to maintain the first tunnel and to build a second IPsec tunnel for site to site VPN to a second site (HQ in your case) on your 1911 router. You would configure appropriate encryption parameters for the new tunnel similar to what you configured for your first tunnel. The most important thing to understand about building the new site to site VPN is about the crypto map that you use and specify on the outbound interface. An interface can have only a single crypto map applied. So you do not create a new crypto map but you create a new instance in the existing crypto map. You are currently using sequence number 1 in the existing map

crypto map GMT_BZR 1 ipsec-isakmp

 so for the new instance you might use sequence number 10 (or any number you choose)

crypto map GMT_BZR 10 ipsec-isakmp

and then you configure the other security parameters that you need under the new sequence number.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-17-2017 10:32 AM

Duplicate post:

https://supportforums.cisco.com/discussion/13335606/vpn-site-site#comment-12181556

Regards,

Aditya

0 Helpful

Go to solution
fabflorent
Level 1
Level 1

‎07-18-2017 08:48 AM

Thank you Rick!

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to fabflorent

‎07-25-2017 03:18 PM

You are welcome. I am glad that my explanation was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions that have helpful information.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents