08-13-2012 07:57 PM - edited 02-21-2020 06:16 PM
i have configured site to site ipsec vpn between two cisco call manager express router(ISR router).i applied the crypto map on the wan interface of two routers.its working fine.but i need to connect another router with this. that means there are 3 sites.is this possible to apply another crypto map on the same wan interface.
thanks
08-13-2012 08:43 PM
Hi Kavithas.
You can use the same crypto but in order to add more VPN peers, you need to identify them by different sequence numbers and using the same crypto map name. An example
crypto map mymap 10 ipsec-isakmp
match address 101
set peer 1.1.1.1
set transform-set myset10
crypto map mymap 20 ipsec-isakmp
match address 101
set peer 2.2.2.2
set transform-set myset20
Please rate if useful
Zubair
08-13-2012 09:06 PM
thnks zubair.its working.and also need to know is this possible to configure remote ipsec vpn and site to site ipsec vpn on the same router?
thnk you so much
08-13-2012 09:12 PM
Yes, it is possible to have both on the same router. For the remote access VPN , you need to use a dynamic crypto map.
crypto dynamic-map dynmap 10
set transform-set 3des-sha
crypto map myvpn 10 ipsec-isakmp dynamic dynmap
Thanks
Zubair
08-13-2012 09:21 PM
thnks zubair.
hope it will work.
09-30-2013 09:12 AM
we have two Router in DC setup. In router-1, SP1 link is terminated & in Router2, SP2 link is terminated.in both the router, with MPLS cloud, BGP is configured.
In Router1 VLAN2 IP: 172.26.0.253.
In Router2 VLAN2 IP: 172.26.4.253.
DC subnet: 172.24.0.0/24
Now from branch, we trying to implement IPSEC tunnel for DC Segment. SP1 & SP2 is configured as Active-standby.
In DC both Router config:
crypto isakmp policy 10
hash md5
encr 3des
authentication pre-share
crypto isakmp key <
crypto isakmp keepalive 30 5
crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac
crypto dynamic-map APDRPMAP 6
set transform-set APDRPSET
crypto map APDRPMAIN 6 ipsec-isakmp dynamic APDRPMAP
int vlan 2
crypto map APDRPMAIN
IN Branch Router Config:
crypto isakmp policy 10
hash md5
encr 3des
authentication pre-share
crypto isakmp keepalive 30 5
crypto isakmp key apdrpCSEB@123! address 172.26.0.253 no-xauth
crypto isakmp key apdrpCSEB@123! address 172.26.4.253 no-xauth
crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac
mode tunnel
no crypto map APDRPMAP 6 ipsec-isakmp
set peer 172.26.0.253
set transform-set APDRPSET
match address 130
crypto map APDRPMAP 12 ipsec-isakmp
set peer 172.26.4.253
set transform-set APDRPSET
match address 130
access-list 130 permit ip 172.27.1.128 0.0.0.31 172.24.0.0 0.0.255.255
access-list 130 permit ip 172.17.220.32 0.0.0.3 172.24.0.0 0.0.255.255
aaccess-list 130 deny ip 172.27.1.128 0.0.0.31 any
access-list 130 deny ip 172.17.220.32 0.0.0.3 any
int gi 0/0
crypto map APDRPMAP
int gi 0/1 --> Secondary MPLS link.
crypto map APDRPMAP
Problem:
When, in branch end, both the link is up, it is creating tunnel with DC Primary Router IP: 172.26.0.253 & working perfectly fine.
When in branch end, primary link is going down, traffic towards sourcing DC is going via gi0/1. in Crypto, it is trying to peering with Primary DC Router IP only instead of Secondary DC-Router IP & resulting which, tunnel is not able to form.the state is MM_No State.
When, primary link is coming up, it is peering with 172.26.0.253 again & working fine.
we have tried to clear to crypto sessions in both the cases but didnt get expected result.
Pls let us know, where exactly we are doing wrong.
09-30-2013 09:47 AM
we have two Router in DC setup. In router-1, SP1 link is terminated & in Router2, SP2 link is terminated.in both the router, with MPLS cloud, BGP is configured.
In Router1 VLAN2 IP: 172.26.0.253.
In Router2 VLAN2 IP: 172.26.4.253.
DC subnet: 172.24.0.0/24
Branch LAN Segment: 172.27.1.128/27
Now from branch, we trying to implement IPSEC tunnel for DC Segment. SP1 & SP2 is configured as Active-standby.
In DC both Router config:
crypto isakmp policy 10
hash md5
encr 3des
authentication pre-share
crypto isakmp key <
crypto isakmp keepalive 30 5
crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac
crypto dynamic-map APDRPMAP 6
set transform-set APDRPSET
crypto map APDRPMAIN 6 ipsec-isakmp dynamic APDRPMAP
int vlan 2
crypto map APDRPMAIN
IN Branch Router Config:
crypto isakmp policy 10
hash md5
encr 3des
authentication pre-share
crypto isakmp keepalive 30 5
crypto isakmp key apdrpCSEB@123! address 172.26.0.253 no-xauth
crypto isakmp key apdrpCSEB@123! address 172.26.4.253 no-xauth
crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac
mode tunnel
no crypto map APDRPMAP 6 ipsec-isakmp
set peer 172.26.0.253
set transform-set APDRPSET
match address 130
crypto map APDRPMAP 12 ipsec-isakmp
set peer 172.26.4.253
set transform-set APDRPSET
match address 130
access-list 130 permit ip 172.27.1.128 0.0.0.31 172.24.0.0 0.0.255.255
aaccess-list 130 deny ip 172.27.1.128 0.0.0.31 any
int gi 0/0
crypto map APDRPMAP
int gi 0/1 --> Secondary MPLS link.
crypto map APDRPMAP
Problem:
When, in branch end, both the link is up, it is creating tunnel with DC Primary Router IP: 172.26.0.253 & working perfectly fine.
When in branch end, primary link is going down, traffic towards sourcing DC is going via gi0/1. in Crypto, it is trying to peering with Primary DC Router IP only instead of Secondary DC-Router IP & resulting which, tunnel is not able to form.the state is MM_No State.
When, primary link is coming up, it is peering with 172.26.0.253 again & working fine.
we have tried to clear to crypto sessions in both the cases but didnt get expected result.
Pls let us know, where exactly we are doing wrong.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide