Adding a 3rd site to existing 876 VPN routers

Unanswered Question
Feb 10th, 2009
User Badges:


I have 2 876 routers which connect trough a GRE IPsec tunnel. Also the routers by default use the ISDN port as backup in case the DSL fails.

I have 2 questions

a. If a add a 3rd site do i need to configure a separate GRE tunnel/crypto map etc or just add the details of the 3rd site to my existing config?

b. I saw that through SDM i only have the option of inserting the 'dial string' of the remote site. In this scenario i need to configure dialer map for each remote site. Will it work in 876 so that the central site dial to 2 separate destinations?

Please repply if you have any info because i am troubled if i need to keep 876 for my central site or upgrade to 1841 model, which is quite expensive.

many thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JamesLuther Thu, 02/12/2009 - 06:28
User Badges:
  • Silver, 250 points or more


876 routers support 10 ipsec tunnels so you won't need to upgrade.

To configure the new site then just add it as a seperate VPN tunnel. I imagine you'll want to create a mesh? You can then setup your routing layer to reflect your chosen topology.


tnikoletos Fri, 02/20/2009 - 05:02
User Badges:

Greetings and thanks gor your quick reply. I feel puzzled in 2 things.

1.My current tunnel from central to site 1 is in subnet 10.0.0.X / and .2)

Can the new tunnel for site 2 be or a new subnet e.g. is required?

2. I run 'show startup config' and found 2 crypto isakamp policys. See below (i have removed the real ip addresses with x1, x2,x3). How can i check which one is currently used?

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp policy 2

encr 3des

group 2

crypto isakmp key xxxxx address x1

crypto isakmp key xxxxx address x2

crypto isakmp key xxxxx address x3



crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to x2

set peer x2

set transform-set ESP-3DES-SHA

match address 100


interface Tunnel1

ip address

qos pre-classify

keepalive 1 3

tunnel source Dialer1

tunnel destination x2



interface Dialer1

description $FW_OUTSIDE$

ip address xxxxxx

ip access-group 107 in

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

no cdp enable

ppp authentication xxxx

ppp chap hostname xxxxx

ppp chap password 7 xxxxx

ppp pap sent-username xxxxxx password 7 xxxx

crypto map SDM_CMAP_1

I need to do this setup on an already configured router and my experience is basic so please be as descriptive as possible.

Again, thanks for your time :)




This Discussion