02-12-2015 12:48 AM - edited 02-21-2020 08:04 PM
Hi there.
Could you please tell me, how to create the second IPSec VPN on my router if crypto map is already set on the interface and there is no another one. This interface is also NHRP\DMVPN interface. Router is a hub.
Solved! Go to Solution.
02-15-2015 11:33 PM
Hi, Nikolay.
For new dmvpn cloud you don't need configure a crmap at the interface. You can create a new tunnel interface and link a different transfer set for it.
If you want to add a new l2l IPsec connection or a new EasyVPN than you can look at this example:
crypto ipsec transform-set trset1 esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec transform-set trset2 esp-aes esp-sha-hmac
crypto map CRNAME 1 ipsec-isakmp
description ---------- VPN 1 ------------
set peer IP_1
set transform-set trset1
match address ACL_1
exit
crypto map CRNAME 2 ipsec-isakmp
description ---------- VPN 2 ------------
set peer IP_1
set transform-set trset2
match address ACL_2
exit
interface FastEthernet0/0
description ---- To outside----
crypto map CRNAME
exit
For a EasyVPN (or any another dynamic crypto map) you can use this example:
crypto dynamic-map DYNMAP 1
set transform-set trset
reverse-route
exit
crypto map crmap 3 ipsec-isakmp dynamic DYNMAP
And example for 2 DmVPN clouds at 1 router:
crypto ipsec transform-set trset_1 esp-3des esp-sha-hmac
mode tunnel
exit
crypto ipsec transform-set trset_2 esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec profile dmvpn-profile1
set transform-set trset_1
exit
crypto ipsec profile dmvpn-profile2
set transform-set trset_2
exit
interface Tunnel1
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn-profile1
exit
interface Tunnel2
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile dmvpn-profile2
exit
Best Regards.
02-13-2015 01:29 AM
Hello, Nikolay Yakushev.
Crypto map has a sequances for each profile. So you can make up to 65535 profiles at one map.
Look at this at conf t: crypto map [name] [sec. number]
Best Regards.
02-15-2015 04:36 AM
Hi and thanks for you attention.
Could you please give me an example in configuration?
We need also different ipswich policy for this VPN. They have sequence also but how to set it?
Could we use transport mode of IPsec on this interface or just tunel mode?
02-15-2015 11:33 PM
Hi, Nikolay.
For new dmvpn cloud you don't need configure a crmap at the interface. You can create a new tunnel interface and link a different transfer set for it.
If you want to add a new l2l IPsec connection or a new EasyVPN than you can look at this example:
crypto ipsec transform-set trset1 esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec transform-set trset2 esp-aes esp-sha-hmac
crypto map CRNAME 1 ipsec-isakmp
description ---------- VPN 1 ------------
set peer IP_1
set transform-set trset1
match address ACL_1
exit
crypto map CRNAME 2 ipsec-isakmp
description ---------- VPN 2 ------------
set peer IP_1
set transform-set trset2
match address ACL_2
exit
interface FastEthernet0/0
description ---- To outside----
crypto map CRNAME
exit
For a EasyVPN (or any another dynamic crypto map) you can use this example:
crypto dynamic-map DYNMAP 1
set transform-set trset
reverse-route
exit
crypto map crmap 3 ipsec-isakmp dynamic DYNMAP
And example for 2 DmVPN clouds at 1 router:
crypto ipsec transform-set trset_1 esp-3des esp-sha-hmac
mode tunnel
exit
crypto ipsec transform-set trset_2 esp-3des esp-md5-hmac
mode transport
exit
crypto ipsec profile dmvpn-profile1
set transform-set trset_1
exit
crypto ipsec profile dmvpn-profile2
set transform-set trset_2
exit
interface Tunnel1
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn-profile1
exit
interface Tunnel2
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile dmvpn-profile2
exit
Best Regards.
02-18-2015 01:24 PM
Thanks but I meant we have one dmvpn with Tunel interface. And we need add site to site Von with different isakmp policy.
I got answer that we need set crypto map with the same name but with different sequence number. But how to set different isakmp policy?
02-18-2015 11:45 PM
Hi, Nikolay Yakushev.
For add new isakmp policy use "crypto isakmp policy [sequence]". When your router is starting establishing VPN connection it sends all isakmp policyes to other side. And if there is much at policyes at both side (sequence number doesn't matter) then both sides start to use this policy to establish connection.
Николай, я так понимаю, что Вы из России. Вам очень поможет с пониманием работы VPN (и их типами) данная статья: http://habrahabr.ru/post/246281/
Best Regards.
02-19-2015 10:57 AM
Теперь понятно, спасибо.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide