Topic 'Re: [Config] Configuring More Than 1 VPN Tunnel (871w)' in forum 'Cisco' - dslreports.com

Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Thu, 19 Jul 2007 08:39:48 EDT

DocLarge posted : Thanks for the replies, gents...

As MSN said, we came to an understanding and all is running.

Where MSN calls it "hub and spoke," it (hub and spoke) can also be explained as the "anchor" crypto map (connectivity originates from it). Said differently, imagine the below map as my "first" crypto map:

crypto mapanchormap 110 ipsec-isakmp

Every other crypto map created needs to include the above crypto map as the "baseline" crypto map for vpn connectivity to take place (example given):

crypto map anchormap 111 ipsec-isakmp
set peer 22.33.44.55
match address 120 (Previously configured access-list)
etc...

crypto map anchormap 112 ipsec-isakmp
set peer 11.33.55.44
match address 140 (Previously configured access-list)
etc...

By approaching it from this standpoint, MSN helped bridge the gap :)

*Heh* it makes since now...

Jay

Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Thu, 19 Jul 2007 08:22:57 EDT

MSN posted : This was all good advice. I talked to DocLarge last night and we sorted it out. I teach this stuff for Cisco and he and I arrived at a good analogy:

Essentially the crypto map is a virtual IPsec interface. All VPNs (both site-to-site and remote access) terminate on this virtual interface. If you think of the crypto map as the hub in a hub-and-spoke arrangement with the spokes being the VPN peers this makes sense. In the example above (thanks TomS_ !) the IPsec interface is identified as "ipsec-maps" The different VPN "spokes" are identified by their numbers. For example, "crypto map ipsec-maps 30 ipsec-isakmp" creates "spoke" 30, and the different components of the IPsec policy for moving traffic to/from the peer are grouped by that number:

crypto map ipsec-maps 30 ipsec-isakmp     description ** Site 2 **    set peer 3.3.3.3    set transform-set strong     set isakmp-profile site-2-prof    match address site-2-acl

The key, then, is remembering that you only have one IPsec interface tied to any one physical interface. Once you have created this crypto map, you link it to a "reall" interface like this:

In TomS_ 's config it is done with this command:

interface Dialer1 crypto map ipsec-maps

/Eric

Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Thu, 19 Jul 2007 06:47:26 EDT

TomS_ posted : DocLarge: Heres a practical example of multiple VPNs. This is probably what youre looking for:

crypto keyring site-1-keyring   pre-shared-key address 1.1.1.1 key abcd  pre-shared-key address 2.2.2.2 key abcdcrypto keyring site-2-keyring   pre-shared-key address 3.3.3.3 key abcd!crypto isakmp policy 1 encr 3des authentication pre-share group 2crypto isakmp profile site-1-a-prof   keyring site-1-keyring   match identity address 1.1.1.1 255.255.255.255 crypto isakmp profile site-1-b-prof   keyring site-1-keyring   match identity address 2.2.2.2 255.255.255.255 crypto isakmp profile site-2-prof   keyring site-2-keyring   match identity address 3.3.3.3 255.255.255.255 !!crypto ipsec transform-set strong ah-sha-hmac esp-3des !crypto map ipsec-maps 10 ipsec-isakmp  description ** Site 1 VPN A ** set peer 1.1.1.1 set transform-set strong  set isakmp-profile site-1-a-prof match address site-1-a-aclcrypto map ipsec-maps 20 ipsec-isakmp  description ** Site 1 VPN B ** set peer 2.2.2.2 set transform-set strong  set isakmp-profile site-1-b-prof match address site-1-b-aclcrypto map ipsec-maps 30 ipsec-isakmp  description ** Site 2 ** set peer 3.3.3.3 set transform-set strong  set isakmp-profile site-2-prof match address site-2-acl!interface Dialer1 crypto map ipsec-maps!ip access-list extended site-1-a-acl permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255ip access-list extended site-1-b-acl permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255ip access-list extended site-2-acl permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255

That should do it for you :-)

I was feeling generous ;-)

Also, props go out to covenant for showing me how to do this quite a while ago :-)

Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Tue, 17 Jul 2007 15:38:57 EDT

aryoba posted : Multiple policy (for IPSec tunnel Phase 1 establishment) is used usually for encryption method compatibility. As example, one VPN device is VPN tunneling with another using 3DES and with the 3rd device using DES. If all of VPN devices are running the same encryption method, then a single isakmp policy should be sufficient.

On the other hand, multiple crypto map (for the IPSec tunnel Phase 2 establishment) is used specifically for each individual tunnel between two VPN devices.

Example

»www.cisco.com/en/US/products/sw/···78.shtml

The 2nd crypto map for the 2nd tunnel could look something like this

crypto map mymap 20 ipsec-isakmpset peer 10.0.2.2set transform-set mysetmatch address 101!access-list 101 permit ip 10.1.1.0 0.0.0.255 172.16.3.0 0.0.0.255

assuming

* all VPN devices are using the same encryption method for both Phase 1 and Phase 2
* the 3rd VPN device is in front of 172.16.3.0/24 network

Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Tue, 17 Jul 2007 13:48:38 EDT

DocLarge posted : Thanks for the response, guys...

Tom, the tunnel is fine, it's working, so my direction on this hairy vpn ride is good. :) I'm just looking for the specific command required to allow more than one tunnel I've got separate policies (i.e., policy 10, policy 20) for both tunnels, I just need them to both run at the same time instead of just one at a time which is the issue at the moment. I'm ploughing through docs and haven't come across the command I need as of yet...

What is the specific syntax I'm looking for on the link you provided, Aryoba, regarding increasing the vpn tunnels?

'Preciate the help.

Jay

Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Tue, 17 Jul 2007 11:32:29 EDT

aryoba posted : One of essential part of setting up multiple IPSec tunnels on a single Cisco router is the "crypto map" command. The command is followed by sequence number. This sequence number should be unique to specific remote VPN peer IP address and access list that control the traffic; as indicated by TomS_

Check out more info of the "crypto map" command on this link
»www.cisco.com/en/US/products/ps6···p1175082

Re: [Config] Configuring More Than 1 VPN Tunnel (871w)

Tue, 17 Jul 2007 10:32:38 EDT

TomS_ posted : Increase the sequence number in the crypto map command to add additional VPNs.

Better yet, post your config so we can see what you are doing and point you in the right direction. Just make sure you obfuscate your keys and peer addresses.

[Config] Configuring More Than 1 VPN Tunnel (871w)

Tue, 17 Jul 2007 10:29:58 EDT

DocLarge posted : Does anyon recall waht the command is that allows you to configure more than 1 IPSEC vpn site-to-site tunnel on the 871w? I get the first tunnel up and running without difficulty, but when I put the second policy in and save the config, the first tunnel stops working...

Jay