Re: VPN on Multiple Interfaces!

khurram49 · ‎06-27-2019

Hello,

I have a cisco router with 4 interfaces. 1=WAN, 3=for local subnets. I want to setup IPsec VPN between 2 locations and wants to transmit all 3 interface data in VPN tunnel. Is it possible that one instance of VPN will work on 3 interfaces? If yes please explain how?

Thank you

omz · ‎06-27-2019

Hi

You just need to match the 3 interface subnets in the cyrpto traffic match ACL.

https://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

!--- Create an ACL for the traffic to 
!--- be encrypted. In this example, 
!--- the traffic from 10.1.1.0/24 to 172.16.2.0/24 
!--- is encrypted. The traffic which does not match the access list 
!--- is unencrypted for the Internet.

khurram49 · ‎06-27-2019

Thank you for the reply. Kindly suggest which router is best suited for this situation.

omz · ‎06-27-2019

The router needs to support crypto. There are a lot of routers that can do IPSec VPN .. choice of the router depends on your requirements.

Rob Ingram · ‎06-27-2019

Hi,

Yes that is possible, you just need to configure a VPN tunnel from your WAN interface to the remote peer and then route the 3 local subnets over that tunnel. You can either use a crypto map or a VTI, crypto maps are considered legacy nowadays so I'd recommend using a VTI (FlexVPN).

Here are the Cisco FlexVPN configuration guides. in particular you possible want to use a Static VTI, example here.

HTH

khurram49 · ‎06-27-2019

define 3 entries with same ACL # e.g. ACL 100?

omz · ‎06-27-2019

@khurram49 wrote:
define 3 entries with same ACL # e.g. ACL 100?

Yes

access-list 100 permit ip 10.1.1.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 100 permit ip 10.1.2.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 100 permit ip 10.1.3.0 0.0.0.255 172.16.2.0 0.0.0.255

Please don't forget to mark helpful posts and accept a solution to help out others :)