site to site ipsec vpn

tkavithas87 · ‎08-13-2012

i have configured site to site ipsec vpn between two cisco call manager express router(ISR router).i applied the crypto map on the wan interface of two routers.its working fine.but i need to connect another router with this. that means there are 3 sites.is this possible to apply another crypto map on the same wan interface.

thanks

zujalal · ‎08-13-2012

Hi Kavithas.

You can use the same crypto but in order to add more VPN peers, you need to identify them by different sequence numbers and using the same crypto map name. An example

crypto map mymap 10 ipsec-isakmp

match address 101

set peer 1.1.1.1

set transform-set myset10

crypto map mymap 20 ipsec-isakmp

match address 101

set peer 2.2.2.2

set transform-set myset20

Please rate if useful

Zubair

tkavithas87 · ‎08-13-2012

thnks zubair.its working.and also need to know is this possible to configure remote ipsec vpn and site to site ipsec vpn on the same router?

thnk you so much

zujalal · ‎08-13-2012

Yes, it is possible to have both on the same router. For the remote access VPN , you need to use a dynamic crypto map.

crypto dynamic-map dynmap 10

set transform-set 3des-sha

crypto map myvpn 10 ipsec-isakmp dynamic dynmap

Thanks

Zubair

tkavithas87 · ‎08-13-2012

thnks zubair.

hope it will work.

apcbpcbpcl · ‎09-30-2013

we have two Router in DC setup. In router-1, SP1 link is terminated & in Router2, SP2 link is terminated.in both the router, with MPLS cloud, BGP is configured.

In Router1 VLAN2 IP: 172.26.0.253.

In Router2 VLAN2 IP: 172.26.4.253.

DC subnet: 172.24.0.0/24

Now from branch, we trying to implement IPSEC tunnel for DC Segment. SP1 & SP2 is configured as Active-standby.

In DC both Router config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp key <> address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp keepalive 30 5

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

crypto dynamic-map APDRPMAP 6

set transform-set APDRPSET

crypto map APDRPMAIN 6 ipsec-isakmp dynamic APDRPMAP

int vlan 2

crypto map APDRPMAIN

IN Branch Router Config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp keepalive 30 5

crypto isakmp key apdrpCSEB@123! address 172.26.0.253 no-xauth

crypto isakmp key apdrpCSEB@123! address 172.26.4.253 no-xauth

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

mode tunnel

no crypto map APDRPMAP 6 ipsec-isakmp

set peer 172.26.0.253

set transform-set APDRPSET

match address 130

crypto map APDRPMAP 12 ipsec-isakmp

set peer 172.26.4.253

set transform-set APDRPSET

match address 130

access-list 130 permit ip 172.27.1.128 0.0.0.31 172.24.0.0 0.0.255.255

access-list 130 permit ip 172.17.220.32 0.0.0.3 172.24.0.0 0.0.255.255

aaccess-list 130 deny ip 172.27.1.128 0.0.0.31 any

access-list 130 deny ip 172.17.220.32 0.0.0.3 any

int gi 0/0

crypto map APDRPMAP

int gi 0/1 --> Secondary MPLS link.

crypto map APDRPMAP

Problem:

When, in branch end, both the link is up, it is creating tunnel with DC Primary Router IP: 172.26.0.253 & working perfectly fine.

When in branch end, primary link is going down, traffic towards sourcing DC is going via gi0/1. in Crypto, it is trying to peering with Primary DC Router IP only instead of Secondary DC-Router IP & resulting which, tunnel is not able to form.the state is MM_No State.

When, primary link is coming up, it is peering with 172.26.0.253 again & working fine.

we have tried to clear to crypto sessions in both the cases but didnt get expected result.

Pls let us know, where exactly we are doing wrong.

ip_noc_fm · ‎09-30-2013

we have two Router in DC setup. In router-1, SP1 link is terminated & in Router2, SP2 link is terminated.in both the router, with MPLS cloud, BGP is configured.

In Router1 VLAN2 IP: 172.26.0.253.

In Router2 VLAN2 IP: 172.26.4.253.

DC subnet: 172.24.0.0/24

Branch LAN Segment: 172.27.1.128/27

Now from branch, we trying to implement IPSEC tunnel for DC Segment. SP1 & SP2 is configured as Active-standby.

In DC both Router config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp key <> address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp keepalive 30 5

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

crypto dynamic-map APDRPMAP 6

set transform-set APDRPSET

crypto map APDRPMAIN 6 ipsec-isakmp dynamic APDRPMAP

int vlan 2

crypto map APDRPMAIN

IN Branch Router Config:

crypto isakmp policy 10

hash md5

encr 3des

authentication pre-share

crypto isakmp keepalive 30 5

crypto isakmp key apdrpCSEB@123! address 172.26.0.253 no-xauth

crypto isakmp key apdrpCSEB@123! address 172.26.4.253 no-xauth

crypto ipsec transform-set APDRPSET esp-3des esp-sha-hmac

mode tunnel

no crypto map APDRPMAP 6 ipsec-isakmp

set peer 172.26.0.253

set transform-set APDRPSET

match address 130

crypto map APDRPMAP 12 ipsec-isakmp

set peer 172.26.4.253

set transform-set APDRPSET

match address 130

access-list 130 permit ip 172.27.1.128 0.0.0.31 172.24.0.0 0.0.255.255

aaccess-list 130 deny ip 172.27.1.128 0.0.0.31 any

int gi 0/0

crypto map APDRPMAP

int gi 0/1 --> Secondary MPLS link.

crypto map APDRPMAP

Problem:

When, in branch end, both the link is up, it is creating tunnel with DC Primary Router IP: 172.26.0.253 & working perfectly fine.

When in branch end, primary link is going down, traffic towards sourcing DC is going via gi0/1. in Crypto, it is trying to peering with Primary DC Router IP only instead of Secondary DC-Router IP & resulting which, tunnel is not able to form.the state is MM_No State.

When, primary link is coming up, it is peering with 172.26.0.253 again & working fine.

we have tried to clear to crypto sessions in both the cases but didnt get expected result.

Pls let us know, where exactly we are doing wrong.