VPN Site-to-site

fabflorent · ‎07-17-2017

Hello,

I have a Cisco 1911 Router with one outside interface.

I have all ready configured site-to-site VPN tunnel (With IPSEC) between my site and a partner site.

Now I am asked to configure a second VPN tunnel between my router and our HQ site.

Is it possible to maintain the first tunnel and build a second tunnel Ipsec Site-to-site VPN on my router Cisco 1911 ?

If not, whitch design and configurations are recommended ?

I attached the first tunnel configuration on Cisco 1911.

On our HQ Site, we have a MikroTic router...

!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxxxx address xx.xxx.xx.xxx
!
!
crypto ipsec transform-set TSGMT esp-aes 256 esp-sha-hmac
!
crypto map GMT_BZR 1 ipsec-isakmp
description Tunnel toxx.xxx.xx.xxx
set peer xx.xxx.xx.xxx
set transform-set TSGMT
match address 101
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN Interface
no ip address
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description LAN Interface
ip address 172.30.31.126 255.255.255.224
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname 2600-omar
ppp chap password 0 cong-2600
ppp pap sent-username 2600-omar password 0 cong-2600
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map GMT_BZR
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 102 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.x
!
access-list 101 permit ip 172.30.31.96 0.0.0.31 91.240.72.64 0.0.0.31
access-list 102 deny ip 172.30.31.96 0.0.0.31 91.240.72.64 0.0.0.31
access-list 102 permit ip 172.30.31.96 0.0.0.31 any
dialer-list 102 protocol ip permit

Aditya Ganjoo · ‎07-17-2017

Hi,

You can create two tunnels on the router.

You need to ensure that the crypto ACL is unique for both the peers (HQ and partner site).

If the traffic is going to be same then you can use the primary and secondary VPN tunnel configuration.

Router(config)#crypto map CryptoMap 1 ipsec-isakmp

Router(config-crypto-map)#set peer RemotePeer1-IP

Router(config-crypto-map)#set peer RemotePeer2-IP

This would mean that as soon as the primary peer fails it would fallback to the secondary peer.

Some helpful links:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html

http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2y/12_2yx11/feature/guide/ft_vpnha.html

Regards,

Aditya

Please mark correct answers and helpful posts.

fabflorent · ‎07-17-2017

Hi Aditya,

Thank you for your answer.

But I don't want to configure a backup peer.

I need to configure two separate and operational tunnels, and the ACL will not be the same.

Aditya Ganjoo · ‎07-17-2017

Hi,

Yes, it should work fine and does not need any special configuration.

Regards,

Aditya

Please rate helpful posts and mark correct answers.