Solved: Add a new ipsec connection to a interface (another session already working)

leandro roggerone · ‎08-10-2013

Hi , guys as tittle says :

I already have an ipsec session running.

Now I need to establish another ipsec tunnel with a different peer and not related traffic.

Documentation mention that it is not possible to asign more than one crypto map to an interface.

I only have a public interface, so how to achieve that??

btw:

I also need to be sure about the config ... I can not turn down the existing connection.

Here is my config.

**********************************************************************************************************

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp key [someKey] address 200.222.222.1

!

crypto ipsec transform-set MYTRANSFORM esp-3des esp-sha-hmac

!

crypto map MYMAP 10 ipsec-isakmp

description "site to site vpn to my remote"

set peer 200.222.222.1

set transform-set MYTRASNFORM

match address 150

!

interface GigabitEthernet0/1/1.10

encapsulation dot1Q 10

ip address 222.111.1.1 255.255.255.128

ip access-group 170 in

crypto map MYMAP

!

Extended IP access list 150

10 permit tcp host 172.24.3.1 eq 8888 host 172.22.0.1 (2032 matches)

20 permit ip 172.24.3.0 0.0.0.255 host 172.22.8.16

30 permit ip 172.24.3.0 0.0.0.255 host 172.22.5.41

40 permit ip 172.24.3.0 0.0.0.255 host 172.22.6.160 (64 matches)

Any help on that would be preciated ,

Thanks!!

Leo.

Jouni Forss · ‎08-11-2013

Hi,

Essentially you use the existing Crypto Map

So looking at your existing configuration

Add a new "crypto isakmp policy x" UNLESS the existing matches the new connections parameters also
Add a new "crypto isakmp key" configuration for this new peer
Add a new "crypto ipsec transform-set" configuration UNLESS the existing matches the new connections parameters also
Add a new "access-list" that defines the local and remote networks for this L2L VPN
Add a new "crypto map MYMAP x ipsec-isakmp" to the existing one

So you might add something like that to the existing "crypto map"

crypto map MYMAP 20 ipsec-isakmp

description Connection 2

set peer x.x.x.x

set transform-set

match address

Especially notice the number used in the above "crypto map MYMAP 20 ipsec-isakmp"

So to my understanding rest of the configurations you will add like normal but for the Crypto Map you will require its own number/sequence number/order number.

Also remember to add NAT0 / NAT Exemption configurations.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

Jouni Forss · ‎08-12-2013

Hi,

Seems that you indeed dont need a new ISAKMP Policy.

When you do configure the new L2L VPN let us know how it goes.

Please do remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more though if there is problems.

- Jouni

View solution in original post

Jouni Forss · ‎08-11-2013

Hi,

Essentially you use the existing Crypto Map

So looking at your existing configuration

Add a new "crypto isakmp policy x" UNLESS the existing matches the new connections parameters also
Add a new "crypto isakmp key" configuration for this new peer
Add a new "crypto ipsec transform-set" configuration UNLESS the existing matches the new connections parameters also
Add a new "access-list" that defines the local and remote networks for this L2L VPN
Add a new "crypto map MYMAP x ipsec-isakmp" to the existing one

So you might add something like that to the existing "crypto map"

crypto map MYMAP 20 ipsec-isakmp

description Connection 2

set peer x.x.x.x

set transform-set

match address

Especially notice the number used in the above "crypto map MYMAP 20 ipsec-isakmp"

So to my understanding rest of the configurations you will add like normal but for the Crypto Map you will require its own number/sequence number/order number.

Also remember to add NAT0 / NAT Exemption configurations.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

leandro roggerone · ‎08-11-2013

Dear JounyForss , I m waiting for a windows maintanane , will let you know my resutl, of course i will mark this topic as solved, thanks for your response !!

Leo.

Jouni Forss · ‎08-12-2013

Hi,

For some reason the page on this post is all messed up for me after the latest post.

But onto the subject,

I am not 100% sure about the "hash" part. I would assume it could be the default. I dont see any harm configuring another policy with the "hash" if you want to be sure.

You can probably see the current connections "hash" with the following command

show crypto isakmp sa detail

- Jouni

leandro roggerone · ‎08-12-2013

I founded this:

#####################################################cli output bellow

asr1002#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
    encryption algorithm:    Three key triple DES
    hash algorithm:        Secure Hash Standard
    authentication method:    Pre-Shared Key
    Diffie-Hellman group:    #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit

############################################################################3

and my tunnel requierements are:

Authentication Method	Preshared keys
Encryption Scheme	tunnel mode
Diffie-Hellman Group	group 2
Encryption Algorithm	3DES
Hashing Algorithm	SHA
Main or Aggressive Mode	Main
Lifetime (Re-Negotiation)	86400 sec.

My current policy matches , I think a dont need to add a new policy.

Thanks.

Jouni Forss · ‎08-12-2013

Hi,

Seems that you indeed dont need a new ISAKMP Policy.

When you do configure the new L2L VPN let us know how it goes.

Please do remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more though if there is problems.

- Jouni

leandro roggerone · ‎08-12-2013

Dear JounyForss, regarding :

Add a new "crypto isakmp policy x" UNLESS the existing matches the new connections parameters also

..........

In the new peer requeriment I need to set:

1st phase IKE:

Hashing Algorithm SHA.

....

But if you take a look to my current crypto isakmp policy:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

there is nothing about Hashing algorithm.

.....

So my question is:

Is sha hashing algorithm the default algorithm? (maybe that is why it is not listed on the configuration)

How to confirm wich is the hashing algorithm used on my current session.

And finally ...

I will know if a need to create a new crypto policy.

THKS!

lamanaryp · ‎08-12-2013

Try this https://supportforums.cisco.com/thread/2045221

Sent from Cisco Technical Support Android App

jawad-mukhtar · ‎08-12-2013

an exmaple for that will be as follows:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

!

crypto isakmp key [someKey] address 200.222.222.1

crypto isakmp key [someKey] address 1.1.1.1

!

crypto ipsec transform-set MYTRANSFORM esp-3des esp-sha-hmac

crypto ipsec transform-set MYNEWTRANSFORM esp-3des esp-sha-hmac

!

crypto map MYMAP 10 ipsec-isakmp

description "site to site vpn to my remote"

set peer 200.222.222.1

set transform-set MYTRASNFORM

match address 150

crypto map MYMAP 20 ipsec-isakmp

description "site to site vpn to my remote"

set peer 1.1.1.1

set transform-set MYNEWTRASNFORM

match address 20

!

interface GigabitEthernet0/1/1.10

encapsulation dot1Q 10

ip address 222.111.1.1 255.255.255.128

ip access-group 170 in

crypto map MYMAP

!

Extended IP access list 150

10 permit tcp host 172.24.3.1 eq 8888 host 172.22.0.1 (2032 matches)

20 permit ip 172.24.3.0 0.0.0.255 host 172.22.8.16

30 permit ip 172.24.3.0 0.0.0.255 host 172.22.5.41

40 permit ip 172.24.3.0 0.0.0.255 host 172.22.6.160 (64 matches)

IP ACCESS LIST extended 20

permit tcp x.x.x.x x.x.x.x

Jawad