Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
687
Views
0
Helpful
4
Replies

LAN-2-LAN IPSec - GRE or not?

fauresr
Level 1
Level 1

‎02-13-2006 11:55 AM - edited ‎02-21-2020 02:15 PM

I need to setup Lan-to-Lan VPNs to between 3 routers. Each router has one interface on our public LAN and one int on a private 192.168 network.

I have sucessfully configured the first pair of routers, with an IPsec connection between R1 and R2. Trying to add a new IPsec connection between R2 and R3 has been a problem. It looks like I can only apply one crypto map on an interface.

When done, I need 3 IPsec connections, R1-R2, R2-R3 and R3-R1. What is the best way to do this? Do I need to use GRE tunnels and tunnel interfaces? Or is there a better way?

Thank you,

Remy

Labels:
0 Helpful
4 Replies 4

fauresr
Level 1
Level 1

‎02-13-2006 12:47 PM

I would like to add some information to my post above.

The current working config uses IPsec without GRE. It works fine between 2 routers.

My problem is how to expand this to more than 2 routers. The traffic will only be IP unicast, there is no NAT involved and no dynamic routing. If I can avoid GRE, it'd be easier.

Thank you,

Remy

0 Helpful

jay.colby
Level 1
Level 1
In response to fauresr

‎02-13-2006 01:29 PM

sounds like you want to 2 remote sites to talk to each other. That would be a fully meshed IPSEC connection. I also included Hub in Spoke if you want it. If you want to pass RPs or broadcasts accross the IPSEC connection I would use GRE. If you are using unicast traffic I would use a non GRE IPSEC solution.

fully meshed

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008014f8ab.shtml

hub and spoke

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

0 Helpful

fauresr
Level 1
Level 1
In response to jay.colby

‎02-13-2006 05:29 PM

Jay,

thanks for the links. The doc on the fully meshed configuration answered my question.

I had initially created 2 crypto maps, and only one could be bound to the interface. The document indicated how to combine two tunnels whithin a single crypto map. Problem is resolved.

Thanks again.

Remy

0 Helpful

gwbryant
Level 1
Level 1

‎02-17-2006 07:29 AM

Have you considered dynamic multipoint vpn (DMPVN)?

0 Helpful
Customers Also Viewed These Support Documents