Showing results for 
Search instead for 
Did you mean: 

IOS Dynamic VPN Setup with Multiple VRFs

Level 1
Level 1

I am trying to terminate 2 clients (2 different VRF's) on the same router.  Im having a couple of issues- How do you match each VPN connection (hostname?  user/fqdn?) without using an IP address because each one will have a dynamic IP address- not static. Secondly,  how do I set up the 2nd vpn?  Attached is the working config with the 1 VPN.



crypto keyring preshared
pre-shared-key address key password12345
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp profile Customer1
vrf Customer1
keyring preshared
match identity address
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set aes-256-sha esp-aes 256 esp-sha-hmac
crypto dynamic-map Customer1Dyn 10
set transform-set aes-256-sha
set pfs group5
set isakmp-profile Customer1
crypto map outsidemap1 local-address Vlan651
crypto map outsidemap1 1000 ipsec-isakmp dynamic Customer1Dyn

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

Change to using IKEv2 instead of IKEv1 (I don't see much point in continuing to use the old IKEv1 if you don't have to).  Then you can match on things like "email" instead of IP address.

crypto ikev2 profile default
  match identity remote email


We are using a 6506E chassis with a Sup720-3BXL and an SPA-IPSEC-2G module.  It looks like IKEv2 was introduced in IOS v15.X maybe?  Im having trouble finding a version of code that supports both the IKEv2 crypto profile as well as the SPA-IPSEC-2G.  Any Suggestions?



According to cisco:  The SPA-IPSEC-2G product has reached End-of-Sale (EoS)/End-of-Life (EoL), and Cisco no longer provides support. Additionally, Cisco no longer allows this module to power up upon boot in Cisco IOS Releases 15.4(1)S and later.

I think it will be very difficult to do what you want with such old equipment.

Next possibility.  Can you put a second IP addresses on the "outside" interface where the VPN will terminate?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: