Re: VPN with three routers

egrellet · ‎02-28-2001

I have three routers 1720 on three sites.

One principal site, and two remote sites.

I want to do vpn connections between the principal site and the remote sites. I have only one serial interface.I use IKE.

How can i do ? Create two crypto isakmp policy ?

Create two crypto map on the principal router ?

Thank you for your anwser.

jomccloud · ‎02-28-2001

You can create multiple ISAKMP peers by specifying multiple crypto ISAKMP policies. You need only do this if each site needs to use different transforms. However, for each site, you must define a separate IKE key using the "crypto isakmp key value address value" statement. This config will specify a specific key for eacy IKE peer.

A similar scenario holds true for crypto maps. If multiple sites will use the same transform, you need only add multiple "set peer" statements within the crypto map. If you want to create a separate crypto policy for each site, you can use the crypto map tag iteration identifier within the crypto map.

Respective configurations are as follows:

Single crypto map with multiple peers:

!

crypto map to_router 1 ipsec-isakmp

set peer 10.1.1.1

set peer 10.2.2.1

set peer 10.3.3.1

set transform-set xxx

match address 101

!

Multiple crypto maps for each peer:

!

crypto map to_router 1 ipsec-isakmp

set peer 10.1.1.1

set transform-set xxx

match address 101

!

crypto map to_router 2 ipsec-isakmp

set peer 10.2.2.1

set transform-set xxx

match address 101

!

crypto map to_router 3 ipsec-isakmp

set peer 10.3.3.1

set transform-set xxx

match address 101

!

This approximates the configs you will need to get either scenario working. These scenarios are well documented at the following URL:

http://www.cisco.com/warp/public/700/configsec.html

Good luck!