07-23-2012 08:11 AM
I currently can do a site to site VPN betweeen two routers, but I need a little help on how to add another site to the config. The remote sites only need to talk to the core router so I shouldn't need GRE, but I am not for sure what is the right way to add the extra hosts. It seems I can only add one crypto map to one physical interface so how do you add hte other site?
This is the set of commands I run to get the site to site up and going what else do i need to add? Sorry for being a newb.
Router(config)#crypto isakmp policy 9
Router(config-isakmp)#hash sha
Router(config-isakmp)#authentication pre-share
Router(config)#crypto isakmp key <Keypass Key Router VPN Key> address <other router ip address>
Router(config)#crypto ipsec security-association lifetime seconds 86400
Router(config)#access-list 110 permit ip any any
Router(config)#crypto ipsec transform-set Test esp-3des esp-sha-hmac
Router(config)#crypto map Test 1 ipsec-isakmp
Router(config-crypto-map)#set peer <other router IP Address>
Router(config-crypto-map)#set transform-set Test
Router(config-crypto-map)#match address 110
Router(config-if)#crypto map Test *\run command on the int of the VPN
Solved! Go to Solution.
07-23-2012 08:41 AM
Hi Chris,
You can do that. Source peer ip address will be one address that is your outside address. But you can have multiple destination peers and policies that can be assigned to the same router.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml
the above document helps you better. That is a basic documentation. But that will give you an idea.
Please do rate if the given information helps.
By
Karthik
07-23-2012 08:41 AM
Hi Chris,
You can do that. Source peer ip address will be one address that is your outside address. But you can have multiple destination peers and policies that can be assigned to the same router.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml
the above document helps you better. That is a basic documentation. But that will give you an idea.
Please do rate if the given information helps.
By
Karthik
07-23-2012 09:21 AM
Thanks for the reply. I am still not for sure how to set the other peers. So I do create a seperate crypto map for each router connecting the core correct? If so how do they get applied to the interface? If not then what am I missing?
When I run this
crypto map Test
and this
crypto map outside
on the same interface only outside is enabled on the interface and it bumps Test, so what am I missing? Most likely something silly, but I am just not following what is needed.
Thanks
07-23-2012 09:25 AM
Is the key in this command
crypto map Test 1 ipsec-isakmp
with the number being the different entries? So multiaple entries using a different number and the same Map name?
07-23-2012 09:35 AM
You will have to create another sequence number in your crypto map that will match the interesting traffic and assign it to the peer.
Here is a configuration example of how to do this:
The commands that you need are here:
hq-sanjose(config)# crypto map s4second 2 ipsec-isakmp
in your case the new command will crypto map Test 2 ipsec-isakmp then you will match the traffic, set the peer, and then set the transform set that you want to use.
Also here is another thread that addresses the same concern and the topic of dmvpn is discussed there which may be something to consider as well.
https://supportforums.cisco.com/thread/2161496
Thanks,
Tarik Admani
*Please rate helpful posts*
07-24-2012 08:08 AM
Well i deleted the wrong post. I can ping 192.168.2.1 to 192.168.2.2 and the other way, but cannot ping 192.168.2.1 to 192.168.2.3
I configed the two remote routers the same so I am not for sure what I am missing. Thanks for the help.
CORE ROUTER
r1#sh run
Building configuration...
Current configuration : 1043 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname r1
!
!
!
!
!
!
!
!
crypto isakmp policy 9
authentication pre-share
!
crypto isakmp key Test1234 address 192.168.2.2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Test esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.2
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
crypto map Test 2 ipsec-isakmp
set peer 192.168.2.3
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.1 255.255.255.0
duplex auto
speed auto
crypto map Test
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 110 permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
ROUTER 1
r2#sh run
Building configuration...
Current configuration : 894 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname r2
!
!
!
!
!
!
!
!
crypto isakmp policy 9
authentication pre-share
!
crypto isakmp key Test1234 address 192.168.2.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Test esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.1
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.2 255.255.255.0
duplex auto
speed auto
crypto map Test
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 110 permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
ROUTER 2
r3#sh run
Building configuration...
Current configuration : 894 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname r3
!
!
!
!
!
!
!
!
crypto isakmp policy 9
authentication pre-share
!
crypto isakmp key Test1234 address 192.168.2.1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set Test esp-3des esp-sha-hmac
!
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.1
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.3 255.255.255.0
duplex auto
speed auto
crypto map Test
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
!
access-list 110 permit ip any any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
08-13-2012 08:55 AM
Any ideas? the site to site works when i take the second entry out. I am at a loss sure seems like it should be working.
When i just have this one it works:
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.2
set security-association lifetime seconds 86400
set transform-set Test
match address 110
When I have both in the main router for the site to multi site only one connects:
crypto map Test 1 ipsec-isakmp
set peer 192.168.2.2
set security-association lifetime seconds 86400
set transform-set Test
match address 110
!
crypto map Test 2 ipsec-isakmp
set peer 192.168.2.3
set security-association lifetime seconds 86400
set transform-set Test
match address 110
09-28-2015 03:44 AM
Hi Chris,
Sorry to dig up an old thread, but I see that there was no resolution for your issue posted here.
Did you manage to resolve your issue - I have run into the same problem and was hoping to find the resolution in your thread.
Thanks a mil,
09-28-2015 07:45 AM
Try looking at this and post back with any questions.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml
10-03-2015 12:37 PM
I am trying to configure the same thing with one core and 3 sites only site 1 can ping to core router loopback i.e IPSEC tunnel is UP but site 2 and site3 cannot ping to core router loopback. Any suggestions ?
10-15-2015 10:35 AM
What does the config look like?
10-15-2015 10:39 AM
Also do site 2 and 3 vpn's come up?
Are the acl's correct?
06-02-2021 10:34 AM - edited 06-02-2021 02:09 PM
HI Chris, i have the same problem as you did. did you solve it?
06-02-2021 02:09 PM
HI Chris, i have the same problem as you did. did you solve it?
09-06-2023 09:58 PM
I have some few inquireies about your configuration.... are all R1, R2 and R3 have routing protocol running in between? If yes, are the inside network included in the routing?
if No, there are missing configurations from your routers which is the NAT
if you will be using NAT, needed to create separate ACL for VPN traffic purposes only and need to deny NAT Ip address which will traverse to VPN traffic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide