04-18-2011 06:39 AM
Hi.
I have finally configured a site-to-site VPN connection and are now wondering how i can configure multiple connections that are accessible by different VLANs.
So that VLAN1 use one tunnel and VLAN2 another.
Regards Tommy Svensson
Configuration so far:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 3600
crypto isakmp key vpnkey address ???????????.206
!
!
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto map VPNMAP 10 ipsec-isakmp
description site-2-site
set peer ????????????.206
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 100
access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Solved! Go to Solution.
04-19-2011 11:11 PM
Hi Tommy
To build on Marcin's comments, something like this should assist (obviously you will need to change the IP addresses accordingly).
crypto map VPNMAP 10 ipsec-isakmp
description site-2-site
set peer ????????????.206
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 100
!
crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101
access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255
Barry
04-19-2011 11:27 PM
Hi Tommy
The key here is the the 2nd tunnel is a second entry on the *same* crypto map. Note that the second tunnel definition is using sequence number 20 on the same crypto map name (VPNMAP). Barry
crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101
04-19-2011 02:37 PM
Tommy,
When you configure multiple entries in access-list or multiple crypto map entries, they are effectively protected with different keys (in sense of each IPsec flow has it's own SPI).
When you're saying you would like to secure traffic from vlan 2 to 192.168.3.0 0.0.0.255 . You just need to add a new entry in access-list 100 and make sure it's mirrored on the other end of the tunnel.
Marcin
04-19-2011 11:06 PM
Hi.
I feel like you missunderstood me, perhaps im not being clear with what i want to accomplish.
I want have a site-to-site IPsec tunnel from Location A to my router and the tunnel is only accessible from VLAN 1. Now i want a tunnel of the same sort between location B and my router and i want it to be accessible only from VLAN 2. How can i configure this?
Regards Tommy Svensson
04-19-2011 11:11 PM
Hi Tommy
To build on Marcin's comments, something like this should assist (obviously you will need to change the IP addresses accordingly).
crypto map VPNMAP 10 ipsec-isakmp
description site-2-site
set peer ????????????.206
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 100
!
crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101
access-list 100 permit ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip x.x.x.0 0.0.0.255 y.y.y.0 0.0.0.255
Barry
04-19-2011 11:15 PM
Hi barry.
My understanding was that i could not apply any more crypto maps to my WAN interface and therefore can not accomplish this with another crypto map.
In later stages i might want 5 tunnels or more, all going to the same WAN interface, and the same IP address. How can i configure this?
Regards Tommy Svensson
04-19-2011 11:27 PM
Hi Tommy
The key here is the the 2nd tunnel is a second entry on the *same* crypto map. Note that the second tunnel definition is using sequence number 20 on the same crypto map name (VPNMAP). Barry
crypto map VPNMAP 20 ipsec-isakmp
description site-2-site number 2
set peer ????????????
set security-association lifetime kilobytes 4000
set transform-set VPN
set pfs group5
match address 101
04-19-2011 11:29 PM
Ah i see. Thank you for youre patience with me
Regards Tommy Svensson
04-19-2011 11:32 PM
No problems Tommy. Best of luck with the config.
Barry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide