Single peer address for several vpn peers.

Unanswered Question
Mar 4th, 2009

Hi everyone,

I apologise for posting this thread in this forum. I have also posted it in the vpn forum but find I always get a much quicker response here.

I wonder if anyone can help me please. I am setting up vpn tunnels between my site and 3 other sites (there is no connectivity required between these 3 sites).

I am using a Cisco 7301 as my endpoint and have a single IP address that all three sites have to use as their peer address to connect with my site.

Please help with the configuration of this, I am told it is possible to configure this but would like some assistance, any sample configs or pointers in the right direction will be gratefully received.

Cheers,

Martha

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 03/04/2009 - 07:19

Hello Martha,

on your side you need to configure a crypto map with three blocks

something like

crypto isakmp key shared_pwd_C1 address public-peer-1

crypto isakmp key shared_pwd_C2 address public-peer-2

crypto isakmp key shared_pwd_C3 address public-peer-3

then three blocks with different sequence number like

crypto map VPN_MAP 1000 ipsec-isakmp

description peer1

set peer public-peer-1

set transform-set AES128

match address 2059

reverse-route

crypto map VPN_MAP 1010 ipsec-isakmp

description peer2

set peer public-peer-2

set transform-set AES128

match address 2060

reverse-route

crypto map VPN_MAP 1030 ipsec-isakmp

description peer3

set peer public-peer-3

set transform-set AES128

match address 2061

reverse-route

the crypto map is then applied on the outgoing interface

see

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_vpn_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1047631

you need also to define the transform set that specify what encryption to use

Hope to help

Giuseppe

mfawehin Wed, 03/04/2009 - 22:16

Wow, as always Giuseppe thank you for your comprehensive, examplary post. I will amend the sample you sent and let you know how I get on. Again, many thanks, Martha.

Giuseppe Larosa Thu, 03/05/2009 - 00:00

Hello Martha,

I took this example from my production network with some changes.

the reverse-route command provides reverse-route injection that allows to create static routes to remote site during the ipsec tunnel is up.

We have a Stateful IPsec pair or routers that are two C7206VXR with NPE-G2 and 12.4(20)T advance_enterprise

I think the command can help in a redundant environment

see

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_r2.html#wp1040683

if I remember correctly you are going to use a PIX pair I'm not sure the command is available.

Hope to help

Giuseppe

mfawehin Thu, 03/05/2009 - 01:20

Thanks Giuseppe.

The pair is actually 7301 routers so I'll check but I'm almost certain it'll be fine.

Actions

This Discussion