cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7690
Views
0
Helpful
5
Replies

Configure multiple IPSec VPNs between Cisco routers

Chris.Doyle
Level 1
Level 1

I'd like to create multiple ipsec VPNs between 3 routers. Before applying i'd like verification on the config i've written to see if this will work. This is just the configuration on RouterA for the VPNs to RouterB and RouterC.

As you can only apply one cyptomap per interface, I figure with the route map It should be able to handle the traffic for the two routers. Or is there a better way to do this?

RouterA - 1.1.1.1

RouterB - 2.2.2.2

RouterC - 3.3.3.3

RouterA

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key RouterB address 2.2.2.2

crypto isakmp key RouterC address 3.3.3.3

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 5 periodic

crypto isakmp nat keepalive 30

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set AES-SHA esp-aes 256 esp-sha-hmac

!

crypto map outsidemap 20 ipsec-isakmp

set peer 2.2.2.2

set transform-set AES-SHA

match address 222

crypto map outsidemap 30 ipsec-isakmp

set peer 3.3.3.3

set transform-set AES-SHA

match address 333

!

interface GigabitEthernet0/0

description ** Internet **

ip nat outside

crypto map outsidemap

!

interface GigabitEthernet0/1

description ** LAN **

ip address 1.1.1.1 255.255.255.0

ip nat inside

!

ip nat inside source route-map RouterA interface GigabitEthernet0/0 overload

!

access-list 222 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 223 deny   ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

access-list 223 permit ip 1.1.1.0 0.0.0.255 any

access-list 333 permit ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

access-list 334 deny ip 1.1.1.0 0.0.0.255 3.3.3.0 0.0.0.255

access-list 334 permit ip 1.1.1.0 0.0.0.255 any

!

!

route-map RouterA permit 10

match ip address 223 334

1 Accepted Solution

Accepted Solutions

Hi Chris,

Both will remain active.

The configuration that you have got is for multiple site to ste VPN it is not for the redundant VPN.

The config for the redundant VPN is completly different so lets not confuse with that.

In the redundant VPN configuration both the peers are defined in the same crypto map.

The trafic that need  to be passed through the tunnel always depend on the access-list that we call in the crypto map.

This access-lsist is cheked first and accordingly the trafic is passed through the correct tunnel

HTH!!

Regards

Raj Kumar

                                                          Please rate all helpful posts

View solution in original post

5 Replies 5

Chris.Doyle
Level 1
Level 1

Also the VPNs should be active active, this isn't for redundancy. So i'm not sure this would work with the crypto map sequencing.

rkumar5
Level 1
Level 1

Hi Chris,

The config looks fine

The crypto map has to be applied in the sequential order.

The check on the crypto map happens in the sequence.

HTH

Regards

Raj Kumar

Hi Raj,

so the crypto map will be applied in sequential order, but will they both remain active so that traffic can run over either VPN at the same time? Or will crypto map outsidemap 20 be the only one active and crypto map outsidemap 30 will only kick in if 20 fails.

Thanks,
Chris

Hi Chris,

Both will remain active.

The configuration that you have got is for multiple site to ste VPN it is not for the redundant VPN.

The config for the redundant VPN is completly different so lets not confuse with that.

In the redundant VPN configuration both the peers are defined in the same crypto map.

The trafic that need  to be passed through the tunnel always depend on the access-list that we call in the crypto map.

This access-lsist is cheked first and accordingly the trafic is passed through the correct tunnel

HTH!!

Regards

Raj Kumar

                                                          Please rate all helpful posts

Great, to make sure I don't lose network connectivity would it be safe to say I should apply the following as the last step.

interface GigabitEthernet0/0

crypto map outsidemap