05-15-2018 01:13 PM - edited 03-12-2019 05:17 AM
hi experts
i have a working ipsec tunnel with peer1 matching local and remote subnets in crypto acl
access-list abc extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
crypto map first 3 match address abc
crypto map first 3 set peer 100.1.1.1
crypto map first 3 set ikev1 transform-set temp1
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 ipsec-attributes
pre-shared-key password
i want to setup another tunnel with different peer but a single ip in crypto acl source and destination, but it will be a part of existing crypto acl subnet... will it work?
access-list def extended permit ip 10.1.1.10 255.255.255.255 10.2.2.10 255.255.255.255
crypto map second 10 match address def
crypto map second 10 set peer 200.1.1.1
crypto map second 10 set ikev1 transform-set temp1
tunnel-group 200.1.1.1 type ipsec-l2l
tunnel-group 200.1.1.1 ipsec-attributes
pre-shared-key password
both tunnels are routed via default gateway to same outside interface
05-15-2018 01:21 PM
05-15-2018 01:25 PM
thanks
touching the working tunnel is out of question as its serving production
i am setting up the second one to test vpn connectivity with new remote firewall
guess i will have to do with completely new ips for second tunnel, out of the existing subnets...
05-16-2018 10:51 AM
You should be able to create new and more specific ACL's to a higher sequence number. So something like this:
access-list abc extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
crypto map first 3 match address abc
crypto map first 3 set peer 100.1.1.1
crypto map first 3 set ikev1 transform-set temp1
tunnel-group 100.1.1.1 type ipsec-l2l
tunnel-group 100.1.1.1 ipsec-attributes
pre-shared-key password
access-list def extended permit ip 10.1.1.10 255.255.255.255 10.2.2.10 255.255.255.255
crypto map first 2 match address def
crypto map first 2 set peer 200.1.1.1
crypto map first 2 set ikev1 transform-set temp1
tunnel-group 200.1.1.1 type ipsec-l2l
tunnel-group 200.1.1.1 ipsec-attributes
pre-shared-key password
Note that traffic between 10.1.1.10 and 10.2.2.10 would never go through the old tunnel. So if you have the same ip addresses across both tunnels, this wont work.
05-16-2018 01:33 PM - edited 05-16-2018 01:33 PM
makes sense
acl sequence number should allow the specific acl to take care of /32 while /24 is handled by the next line
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide