Multiple Site to Site Tunnels

Mike Elliott · ‎12-17-2009

I have to setup a router with multiple site to site tunnels. I already have one of the tunnels established. The subnets at each branch office will NOT overlap.

I am using NAT Overload w/static nat translations, I have a route map to except vpn traffic from the nat process.

crypto map intmap 5 ipsec-isakmp
set peer <Branch Office A>
set transform-set trans1
match address 130

route-map rock permit 10
match ip address 123
set ip next-hop 1.1.1.2
!
route-map nonat permit 10
match ip address 110

How do I add a crypto map that will do Branch Office B?

Rick Morris · ‎12-17-2009

same as the first just increase the process number. You have 5, use 10:

crypto map intmap 10 ipsec-isakmp

set peer

Mike Elliott · ‎12-17-2009

Cool beans, that is what I thought.

Are there any caveats or best practices? Should I expect to be able to route branch to branch traffic through the HQ? Or should I setup separate tunnels for that?

Rick Morris · ‎12-17-2009

Honestly, the best set-up for what I think you are looking for is DMVPN. http://www.cisco.com/en/US/products/ps6658/index.html

This allows you to build dynamic tunnels between offices without hair-pin routing via the Hub. After the traffic stops between site to site it will tear the tunnel back down based on the timers you set-up. This is accomplished via NHRP, with is a table that holds are next hops of all te tunnels. So for instance site A wants to talk to site F. Site A will send a look-up to the Hub asking for this info. The hub will respond and site A and F will negotiate a tunnel.

Rick Morris · ‎12-17-2009

Here is a link to config example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml