Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Multiple VPN in single Crypto Map 1

Status
Not open for further replies.

captnops

IS-IT--Management
Feb 12, 2003
141
I have a need to create multiple L2L VPN Tunnels to multiple customers. What is the syntax to create those tunnels in a single crypto map?

TIA

 
the same as you would to create a single vpn. the 'map' is just that, how the device is going to build the tunnel.
 
Thank you. My issue is that I know I can create multiple L2L vpns under a single crypto map, but I also have a need to incorporate a dymanic remote access vpn into the same map.

I did not word my question appropriately! :)

Thanks again for the help
 
it's no problem. you would do something like this:
Code:
crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto dynamic-map mymap 10
 set transform-set myset

crypto map mymap 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set myset
 match address crypto_acl1
crypto map mymap 20 ipsec-isakmp
 set peer x.x.x.x
 set transform-set myset
 match address crytpo_acl2
crypto map mymap 100 ipsec-isakmp dynamic dynmap

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Opps....I do have another question.

This 2811 will host multiple VPNS (Remote Access, 2 L2Ls)
The L2L are going to two different companies. Once of those companies just asked me to NAT the traffic to a specific network prior to encrypting.

I know that I can do that with:
IP NAT INSIDE SOURCE STATIC NETWORK x.x.x.x y.y.y.y /24

My question is this: How do I prevent the traffic for the other L2L VPN from using this NAT? And Vica Versa.

Thanks
 
you could use a route-map

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Would you folks be so kind as to review my config and advise. I cannot get the second tunnel (VPN 2) to come up. This tunnel requires that I source NAT my internal traffic destined for their network from a 10.10.X.X to a 10.129.XX.X subnet.

_____________________________

Current configuration : 2993 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
enable secret xxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login userauthen local
!
!
aaa session-id common
no network-clock-participate wic 0
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
no ip domain lookup
!
no ipv6 cef
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 XXXXXXXXX address 206.xx.xx.xx
crypto isakmp key XXXXXXXXXX address 12.xx.xx.xx
crypto isakmp keepalive 10
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN1-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-VPN esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer 206.xx.xx.xx
set transform-set VPN1-VPN
match address 100
crypto map VPN 2 ipsec-isakmp
set peer 12.xxx.xx.xx
set transform-set VPN2-VPN
match address 101
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24

interface FastEthernet0/0
description GHDSI INTERNAL LAN
ip address 10.10.xxx.xxx 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description GHDSI EXTERNAL WAN
ip address 173.xxx.xxx.xxx 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex full
speed 100
crypto map VPN
!
interface Serial0/0/0:0
description QWEST INTERNET CIRCUIT ID# DS1IT 14436097
no ip address
ip virtual-reassembly
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.xxx.xxx.xxx
!
!
ip http server
no ip http secure-server
ip nat inside source route-map VPN1 interface FastEthernet0/1 overload
ip nat inside source static 10.10.xxx.xxx 10.129.40.0 route-map VPN2MAP
!
no logging trap
access-list 100 permit ip any any
access-list 100 permit icmp any any echo
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any administratively-prohibited
access-list 101 permit ip any any
!
!
!
!
route-map VPN1 permit 10
match ip address 100
!
route-map VPN2 permit 10
match ip address 101
!
!
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password 7 0045120209520547
transport input telnet
!
scheduler allocate 20000 1000
end

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top