Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
2
Helpful
7
Replies

Multiple site-to-site VPN connections

Go to solution
Tommy Svensson
Level 1
Level 1

‎04-18-2011 06:39 AM

Hi.

I have finally configured a site-to-site VPN connection and are now wondering how i can configure multiple connections that are accessible by different VLANs.

So that VLAN1 use one tunnel and VLAN2 another.

Regards Tommy Svensson

Configuration so far:

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key vpnkey address ???????????.206
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
 description site-2-site
 set peer ????????????.206
 set security-association lifetime kilobytes 4000
 set transform-set VPN
 set pfs group5
 match address 100

access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
barry
Level 7
Level 7
In response to Tommy Svensson

‎04-19-2011 11:11 PM

Hi Tommy

To build on Marcin's comments, something like this should assist (obviously you will need to change the IP addresses accordingly).

crypto map VPNMAP 10 ipsec-isakmp
description site-2-site
set peer ????????????.206
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 100

!

crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101

access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255

Barry

View solution in original post

0 Helpful

Go to solution
barry
Level 7
Level 7
In response to Tommy Svensson

‎04-19-2011 11:27 PM

Hi Tommy

The key here is the the 2nd tunnel is a second entry on the *same* crypto map. Note that the second tunnel definition is using sequence number 20 on the same crypto map name (VPNMAP). Barry

crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-19-2011 02:37 PM

Tommy,

When you configure multiple entries in access-list or multiple crypto map entries, they are effectively protected with different keys (in sense of each IPsec flow has it's own SPI).

When you're saying you would like to secure traffic from vlan 2 to 192.168.3.0 0.0.0.255 . You just need to add a new entry in access-list 100 and make sure it's mirrored on the other end of the tunnel.

Marcin

Go to solution
Tommy Svensson
Level 1
Level 1
In response to Marcin Latosiewicz

‎04-19-2011 11:06 PM

Hi.

I feel like you missunderstood me, perhaps im not being clear with what i want to accomplish.

I want have a site-to-site IPsec tunnel from Location A to my router and the tunnel is only accessible from VLAN 1. Now i want a tunnel of the same sort between location B and my router and i want it to be accessible only from VLAN 2. How can i configure this?

Regards Tommy Svensson

0 Helpful

Go to solution
barry
Level 7
Level 7
In response to Tommy Svensson

‎04-19-2011 11:11 PM

Hi Tommy

To build on Marcin's comments, something like this should assist (obviously you will need to change the IP addresses accordingly).

crypto map VPNMAP 10 ipsec-isakmp
description site-2-site
set peer ????????????.206
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 100

!

crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101

access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255

Barry

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to barry

‎04-19-2011 11:15 PM

Hi barry.

My understanding was that i could not apply any more crypto maps to my WAN interface and therefore can not accomplish this with another crypto map.

In later stages i might want 5 tunnels or more, all going to the same WAN interface, and the same IP address. How can i configure this?

Regards Tommy Svensson

0 Helpful

Go to solution
barry
Level 7
Level 7
In response to Tommy Svensson

‎04-19-2011 11:27 PM

Hi Tommy

The key here is the the 2nd tunnel is a second entry on the *same* crypto map. Note that the second tunnel definition is using sequence number 20 on the same crypto map name (VPNMAP). Barry

crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101

0 Helpful

Go to solution
Tommy Svensson
Level 1
Level 1
In response to barry

‎04-19-2011 11:29 PM

Ah i see. Thank you for youre patience with me

Regards Tommy Svensson

0 Helpful

Go to solution
barry
Level 7
Level 7
In response to Tommy Svensson

‎04-19-2011 11:32 PM

No problems Tommy. Best of luck with the config.

Barry

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents