Single peer address for several vpn peers.

Unanswered Question
Mar 4th, 2009

Hi everyone,

I apologise for posting this thread in this forum. I have also posted it in the vpn forum but find I always get a much quicker response here.

I wonder if anyone can help me please. I am setting up vpn tunnels between my site and 3 other sites (there is no connectivity required between these 3 sites).

I am using a Cisco 7301 as my endpoint and have a single IP address that all three sites have to use as their peer address to connect with my site.

Please help with the configuration of this, I am told it is possible to configure this but would like some assistance, any sample configs or pointers in the right direction will be gratefully received.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Wed, 03/04/2009 - 07:19

Hello Martha,

on your side you need to configure a crypto map with three blocks

something like

crypto isakmp key shared_pwd_C1 address public-peer-1

crypto isakmp key shared_pwd_C2 address public-peer-2

crypto isakmp key shared_pwd_C3 address public-peer-3

then three blocks with different sequence number like

crypto map VPN_MAP 1000 ipsec-isakmp

description peer1

set peer public-peer-1

set transform-set AES128

match address 2059


crypto map VPN_MAP 1010 ipsec-isakmp

description peer2

set peer public-peer-2

set transform-set AES128

match address 2060


crypto map VPN_MAP 1030 ipsec-isakmp

description peer3

set peer public-peer-3

set transform-set AES128

match address 2061


the crypto map is then applied on the outgoing interface


you need also to define the transform set that specify what encryption to use

Hope to help


mfawehin Wed, 03/04/2009 - 22:16

Wow, as always Giuseppe thank you for your comprehensive, examplary post. I will amend the sample you sent and let you know how I get on. Again, many thanks, Martha.

Giuseppe Larosa Thu, 03/05/2009 - 00:00

Hello Martha,

I took this example from my production network with some changes.

the reverse-route command provides reverse-route injection that allows to create static routes to remote site during the ipsec tunnel is up.

We have a Stateful IPsec pair or routers that are two C7206VXR with NPE-G2 and 12.4(20)T advance_enterprise

I think the command can help in a redundant environment


if I remember correctly you are going to use a PIX pair I'm not sure the command is available.

Hope to help


mfawehin Thu, 03/05/2009 - 01:20

Thanks Giuseppe.

The pair is actually 7301 routers so I'll check but I'm almost certain it'll be fine.


This Discussion