Multiple IPSec Tunnel

nmgopi · ‎03-22-2002

I have a LAN to LAN VPN tunnel already running in a Cisco router and I want to configure one more LAN to LAN Tunnel. How can i do that? if i configure crypto map in serial interface its taking only one map??

How can i do this?

Can you give me some links for sample configuration??

Cheers

pdentico · ‎03-25-2002

You can have multiple crypto maps under the same name with different "id" #'s.

crypto map vpn-map 1 ipsec-isakmp

set peer xxx.xxx.xx.xxx

set transform-set vpn3-set

match address "your access-list here"

crypto map vpn-map 2 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set vpn3-set

match address "your other access-list here"

Don't forget to add the other ip info into you no-nat access-list.

nmgopi · ‎04-01-2002

Thanks for your input. Is't possible to use different Encryption for different tunnels, like this i want to use DES for One TUnnel and 3DES for another Tunnel.

because if i use CRYPTO ISAKMO POLICY 1 i Can specify only single authentication.

Expecting your reply

cjacinto · ‎03-31-2002

http://www.cisco.com/warp/customer/707/ios_hub-spoke.html

jerry.roy · ‎03-31-2002

crypto dynamic-map Site1 1

set transform-set My_Transform_set

match address Site1

!

crypto dynamic-map Site2 2

set transform-set My_Transform_set

match address Site2

!

crypto map ETH0 1 ipsec-isakmp dynamic Site1

crypto map ETH0 2 ipsec-isakmp dynamic Site2

This will work. But the key on the Hub site will have to match all spoke sites.

szeissig · ‎04-02-2002

i've edited this cisco-sample-config to match tunnels from three sites with negotiated wan-adresses to a hub router with a fixed ip-address

you've said this will work if the same key is used on all routers ...

how can the hub-router distinguish between the remote-sites [matching acc -> negotiated wan-address] ???

#####################################################

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname sam-i-am

!

enable secret 5 $1$7WP3$aEqtNjvRJ9Vy6i41x0RJf0

enable password ww

!

ip subnet-zero

!

isdn switch-type basic-5ess

isdn voice-call-failure 0

cns event-service server

!

crypto isakmp policy 1

hash md5

authentication pre-share

!

crypto isakmp key cisco123 address 0.0.0.0

!

crypto ipsec transform-set rtpset esp-des esp-md5-hmac

!

crypto dynamic-map rtpmap 10

set transform-set rtpset

match address 115

!

crypto dynamic-map rtpmap 11

set transform-set rtpset

match address 116

!

crypto dynamic-map rtpmap 12

set transform-set rtpset

match address 117

!

crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

!

interface Ethernet0

ip address 10.2.2.3 255.255.255.0

no ip directed-broadcast

ip nat inside

no mop enabled

!

interface Serial0

ip address 99.99.99.1 255.255.255.0

no ip directed-broadcast

ip nat outside

crypto map rtptrans

!

ip nat inside source route-map nonat interface Serial0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 99.99.99.2

no ip http server

!

access-list 115 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 115 deny ip 10.2.2.0 0.0.0.255 any

!

access-list 116 permit ip 10.2.2.0 0.0.0.255 10.3.3.0 0.0.0.255

access-list 116 deny ip 10.2.2.0 0.0.0.255 any

!

access-list 117 permit ip 10.2.2.0 0.0.0.255 10.4.4.0 0.0.0.255

access-list 117 deny ip 10.2.2.0 0.0.0.255 any

!

access-list 120 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 120 deny ip 10.2.2.0 0.0.0.255 10.3.3.0 0.0.0.255

access-list 120 deny ip 10.2.2.0 0.0.0.255 10.4.4.0 0.0.0.255

access-list 120 permit ip 10.2.2.0 0.0.0.255 any

!

dialer-list 1 protocol ip permit

dialer-list 1 protocol ipx permit

route-map nonat permit 10

match ip address 120

!

line con 0

transport input none

line aux 0

line vty 0 4

password ww

login

!

end

brad · ‎04-01-2002

You can only bind one crypto map to a specified Interface; however, one crypto map can define as many peers as the routers processor and ram will support.

crypto map cisco-vpn 10 ipsec-isakmp

set transform-set cisco-trans

match address 110

set peer x.x.x.a

crypto map cisco-vpn 20 ipsec-isakmp

set transform-set cisco-other-trans

match address 120

set peer x.x.x.b

jerry.roy · ‎04-02-2002

The Spoke Routers will Have the Peer address of the hub router in their crypto-map statement. This is how they know how to get to the Hub. The Spoke sites can only initiate the tunnel. It is done in aggressive mode. (Quick Mode)

This statement "crypto isakmp key cisco123 address 0.0.0.0" on the Hub router says accept any request to build a tunnel from sites that have the proper set of transform-set specifications and of course the correct key.

I noticed you have not added your tunnel interfaces. You will need to add them if you are going to allow rip to transfer routes.

E-mail me direct and I will send you the configs. I do not want to post what I have developed. Cisco's not giving away anything for free so why should I help them fix problems that they make us pay for? I am more than willing to help those on the list who are looking for answers directly but I don't want any Cisco "The Company" SE's to benefit from my work. They get all the free training so they should know this stuff. I have to pay big bucks for my training and I should not be teaching them.

Sorry if this sounds caloused but you don't know what I had to go through with Cisco just to make their products work.

jerry.roy · ‎04-02-2002

oops! Sorry :) email is jroy@axcelerant.com