Solved: 2 IPSec VPNs + DMVPN

Nikolay Yakushev · ‎02-12-2015

Hi there.

Could you please tell me, how to create the second IPSec VPN on my router if crypto map is already set on the interface and there is no another one. This interface is also NHRP\DMVPN interface. Router is a hub.

AllertGen · ‎02-15-2015

Hi, Nikolay.

For new dmvpn cloud you don't need configure a crmap at the interface. You can create a new tunnel interface and link a different transfer set for it.

If you want to add a new l2l IPsec connection or a new EasyVPN than you can look at this example:

crypto ipsec transform-set trset1 esp-3des esp-md5-hmac
mode transport
exit

crypto ipsec transform-set trset2 esp-aes esp-sha-hmac

crypto map CRNAME 1 ipsec-isakmp
description ---------- VPN 1 ------------
set peer IP_1
set transform-set trset1
match address ACL_1
exit

crypto map CRNAME 2 ipsec-isakmp
description ---------- VPN 2 ------------
set peer IP_1
set transform-set trset2
match address ACL_2
exit

interface FastEthernet0/0
description ---- To outside----
crypto map CRNAME
exit

For a EasyVPN (or any another dynamic crypto map) you can use this example:

crypto dynamic-map DYNMAP 1
set transform-set trset
reverse-route
exit

crypto map crmap 3 ipsec-isakmp dynamic DYNMAP

And example for 2 DmVPN clouds at 1 router:

crypto ipsec transform-set trset_1 esp-3des esp-sha-hmac
mode tunnel
exit
crypto ipsec transform-set trset_2 esp-3des esp-md5-hmac
mode transport
exit

crypto ipsec profile dmvpn-profile1
set transform-set trset_1
exit
crypto ipsec profile dmvpn-profile2
set transform-set trset_2
exit

interface Tunnel1
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn-profile1
exit

interface Tunnel2
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile dmvpn-profile2
exit

Best Regards.

View solution in original post

AllertGen · ‎02-13-2015

Hello, Nikolay Yakushev.

Crypto map has a sequances for each profile. So you can make up to 65535 profiles at one map.

Look at this at conf t: crypto map [name] [sec. number]

Best Regards.

Nikolay Yakushev · ‎02-15-2015

Hi and thanks for you attention.

Could you please give me an example in configuration?

We need also different ipswich policy for this VPN. They have sequence also but how to set it?

Could we use transport mode of IPsec on this interface or just tunel mode?

AllertGen · ‎02-15-2015

Hi, Nikolay.

For new dmvpn cloud you don't need configure a crmap at the interface. You can create a new tunnel interface and link a different transfer set for it.

If you want to add a new l2l IPsec connection or a new EasyVPN than you can look at this example:

crypto ipsec transform-set trset1 esp-3des esp-md5-hmac
mode transport
exit

crypto ipsec transform-set trset2 esp-aes esp-sha-hmac

crypto map CRNAME 1 ipsec-isakmp
description ---------- VPN 1 ------------
set peer IP_1
set transform-set trset1
match address ACL_1
exit

crypto map CRNAME 2 ipsec-isakmp
description ---------- VPN 2 ------------
set peer IP_1
set transform-set trset2
match address ACL_2
exit

interface FastEthernet0/0
description ---- To outside----
crypto map CRNAME
exit

For a EasyVPN (or any another dynamic crypto map) you can use this example:

crypto dynamic-map DYNMAP 1
set transform-set trset
reverse-route
exit

crypto map crmap 3 ipsec-isakmp dynamic DYNMAP

And example for 2 DmVPN clouds at 1 router:

crypto ipsec transform-set trset_1 esp-3des esp-sha-hmac
mode tunnel
exit
crypto ipsec transform-set trset_2 esp-3des esp-md5-hmac
mode transport
exit

crypto ipsec profile dmvpn-profile1
set transform-set trset_1
exit
crypto ipsec profile dmvpn-profile2
set transform-set trset_2
exit

interface Tunnel1
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 1
tunnel protection ipsec profile dmvpn-profile1
exit

interface Tunnel2
ip address [network]
ip nhrp map multicast dynamic
ip nhrp network-id 2
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 2
tunnel protection ipsec profile dmvpn-profile2
exit

Best Regards.

Nikolay Yakushev · ‎02-18-2015

Thanks but I meant we have one dmvpn with Tunel interface. And we need add site to site Von with different isakmp policy.

I got answer that we need set crypto map with the same name but with different sequence number. But how to set different isakmp policy?

AllertGen · ‎02-18-2015

Hi, Nikolay Yakushev.

For add new isakmp policy use "crypto isakmp policy [sequence]". When your router is starting establishing VPN connection it sends all isakmp policyes to other side. And if there is much at policyes at both side (sequence number doesn't matter) then both sides start to use this policy to establish connection.

Николай, я так понимаю, что Вы из России. Вам очень поможет с пониманием работы VPN (и их типами) данная статья: http://habrahabr.ru/post/246281/

Best Regards.

Nikolay Yakushev · ‎02-19-2015

Теперь понятно, спасибо.