Multiple VPNs on one interface troubles

TylerJWilson · ‎05-13-2013

Hello. I am still pretty new to Cisco IOS, but I think I'm getting there. Right now I am trying to configure a sort of mesh VPN setup between five routers in such a way that every router can conect to every other roughter through VPN over an emulated Internet connection I set up (NAT). Here is the configuration of one router. I am using Packet Tracer with 2811 routers.

Current configuration : 3021 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Central

!

crypto isakmp policy 1

encr aes 128

authentication pre-share

group 2

!

crypto isakmp key VPNtun address 222.222.222.6

crypto isakmp key VPNtun address 222.222.222.10

crypto isakmp key VPNtun address 222.222.222.14

crypto isakmp key VPNtun address 222.222.222.18

!

crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac

!

crypto map Central_Out 5 ipsec-isakmp

set peer 222.222.222.14

set transform-set TRANS-SET-GRE-TUNNEL

match address IPSEC-TRAFFIC

!

crypto map Central_Out 6 ipsec-isakmp

set peer 222.222.222.10

set transform-set TRANS-SET-GRE-TUNNEL

match address IPSEC-TRAFFIC

!

crypto map Central_Out 7 ipsec-isakmp

set peer 222.222.222.6

set transform-set TRANS-SET-GRE-TUNNEL

match address IPSEC-TRAFFIC

!

crypto map Central_Out 8 ipsec-isakmp

set peer 222.222.222.18

set transform-set TRANS-SET-GRE-TUNNEL

match address IPSEC-TRAFFIC

!

spanning-tree mode pvst

!

interface Tunnel5

ip address 10.10.20.1 255.255.255.0

tunnel source FastEthernet1/0

tunnel destination 222.222.222.18

!

interface Tunnel6

ip address 10.10.40.1 255.255.255.0

tunnel source FastEthernet1/0

tunnel destination 222.222.222.14

!

interface Tunnel7

ip address 10.10.60.1 255.255.255.0

tunnel source FastEthernet1/0

tunnel destination 222.222.222.6

!

interface Tunnel8

ip address 10.10.80.1 255.255.255.0

tunnel source FastEthernet1/0

tunnel destination 222.222.222.10

!

interface FastEthernet0/0

ip address 10.1.50.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.2

encapsulation dot1Q 2

ip address 10.1.2.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.5

encapsulation dot1Q 5

ip address 10.1.5.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 10.1.10.1 255.255.255.0

ip nat inside

!

interface FastEthernet1/0

ip address 222.222.222.2 255.255.255.252

ip nat outside

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router eigrp 7

network 10.0.0.0

auto-summary

!

ip nat inside source list 199 interface FastEthernet1/0 overload

ip nat inside source static tcp 10.1.50.2 80 222.222.222.2 80

ip classless

ip route 0.0.0.0 0.0.0.0 222.222.222.1

!

ip access-list extended IPSEC-TRAFFIC

permit gre host 222.222.222.2 host 222.222.222.6

permit gre host 222.222.222.2 host 222.222.222.10

permit gre host 222.222.222.2 host 222.222.222.14

permit gre host 222.222.222.2 host 222.222.222.18

access-list 110 deny tcp any any eq telnet

access-list 111 deny tcp any any eq ftp

access-list 113 deny tcp any 10.1.50.0 0.0.0.255 eq 22

access-list 114 deny tcp any any eq 81

access-list 115 deny udp any any eq 82

access-list 199 permit ip 10.1.0.0 0.0.255.255 any

!

line con 0

line vty 0 4

login

!

end

Every time I try to add the crypto map to interface f1/0, packet tracer crashes on me. So, can anyone help me figure out what I'm doing wrong?

TylerJWilson · ‎05-20-2013

Okay, I believe I got it. I needed to seperate the different ACL listings for the VPNs into different extended bits. Gonna see if I can create the mesh VPN network I wanted now.