Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Author	All Replies
TomS_ debugger it Premium,MVM join:2002-07-19 Australia	reply to DocLarge Re: [Config] Configuring More Than 1 VPN Tunnel (871w) DocLarge: Heres a practical example of multiple VPNs. This is probably what youre looking for: crypto keyring site-1-keyring pre-shared-key address 1.1.1.1 key abcd pre-shared-key address 2.2.2.2 key abcd crypto keyring site-2-keyring pre-shared-key address 3.3.3.3 key abcd ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp profile site-1-a-prof keyring site-1-keyring match identity address 1.1.1.1 255.255.255.255 crypto isakmp profile site-1-b-prof keyring site-1-keyring match identity address 2.2.2.2 255.255.255.255 crypto isakmp profile site-2-prof keyring site-2-keyring match identity address 3.3.3.3 255.255.255.255 ! ! crypto ipsec transform-set strong ah-sha-hmac esp-3des ! crypto map ipsec-maps 10 ipsec-isakmp description Site 1 VPN A set peer 1.1.1.1 set transform-set strong set isakmp-profile site-1-a-prof match address site-1-a-acl crypto map ipsec-maps 20 ipsec-isakmp description Site 1 VPN B set peer 2.2.2.2 set transform-set strong set isakmp-profile site-1-b-prof match address site-1-b-acl crypto map ipsec-maps 30 ipsec-isakmp description Site 2 set peer 3.3.3.3 set transform-set strong set isakmp-profile site-2-prof match address site-2-acl ! interface Dialer1 crypto map ipsec-maps ! ip access-list extended site-1-a-acl permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 ip access-list extended site-1-b-acl permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255 ip access-list extended site-2-acl permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 That should do it for you :-) I was feeling generous ;-) Also, props go out to covenant for showing me how to do this quite a while ago :-)
	to forum · permalink · · 2007-07-19 06:47:26 ·
MSN join:2004-05-15 Osgoode, ON	This was all good advice. I talked to DocLarge last night and we sorted it out. I teach this stuff for Cisco and he and I arrived at a good analogy: Essentially the crypto map is a virtual IPsec interface. All VPNs (both site-to-site and remote access) terminate on this virtual interface. If you think of the crypto map as the hub in a hub-and-spoke arrangement with the spokes being the VPN peers this makes sense. In the example above (thanks TomS_ !) the IPsec interface is identified as "ipsec-maps" The different VPN "spokes" are identified by their numbers. For example, "crypto map ipsec-maps 30 ipsec-isakmp" creates "spoke" 30, and the different components of the IPsec policy for moving traffic to/from the peer are grouped by that number: crypto map ipsec-maps 30 ipsec-isakmp description Site 2 set peer 3.3.3.3 set transform-set strong set isakmp-profile site-2-prof match address site-2-acl The key, then, is remembering that you only have one IPsec interface tied to any one physical interface. Once you have created this crypto map, you link it to a "reall" interface like this: In TomS_ 's config it is done with this command: interface Dialer1 crypto map ipsec-maps /Eric
MSN join:2004-05-15 Osgoode, ON	to forum · permalink · · 2007-07-19 08:22:57 ·
DocLarge Premium join:2004-09-08 4 edits	Thanks for the replies, gents... As MSN said, we came to an understanding and all is running. Where MSN calls it "hub and spoke," it (hub and spoke) can also be explained as the "anchor" crypto map (connectivity originates from it). Said differently, imagine the below map as my "first" crypto map: crypto mapanchormap 110 ipsec-isakmp Every other crypto map created needs to include the above crypto map as the "baseline" crypto map for vpn connectivity to take place (example given): crypto map *anchormap* 111 ipsec-isakmp set peer 22.33.44.55 match address 120 (Previously configured access-list) etc... crypto map *anchormap* 112 ipsec-isakmp set peer 11.33.55.44 match address 140 (Previously configured access-list) etc... By approaching it from this standpoint, MSN helped bridge the gap Heh it makes since now... Jay
DocLarge Premium join:2004-09-08 4 edits	to forum · permalink · · 2007-07-19 08:39:48 ·


Tuesday, 24-Nov 20:24:52	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF