Single peer address for several vpn peers.

Unanswered Question
Mar 4th, 2009
User Badges:

Hi everyone,


I apologise for posting this thread in this forum. I have also posted it in the vpn forum but find I always get a much quicker response here.


I wonder if anyone can help me please. I am setting up vpn tunnels between my site and 3 other sites (there is no connectivity required between these 3 sites).

I am using a Cisco 7301 as my endpoint and have a single IP address that all three sites have to use as their peer address to connect with my site.

Please help with the configuration of this, I am told it is possible to configure this but would like some assistance, any sample configs or pointers in the right direction will be gratefully received.


Cheers,

Martha

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 03/04/2009 - 07:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Martha,


on your side you need to configure a crypto map with three blocks


something like


crypto isakmp key shared_pwd_C1 address public-peer-1

crypto isakmp key shared_pwd_C2 address public-peer-2

crypto isakmp key shared_pwd_C3 address public-peer-3



then three blocks with different sequence number like


crypto map VPN_MAP 1000 ipsec-isakmp

description peer1

set peer public-peer-1

set transform-set AES128

match address 2059

reverse-route


crypto map VPN_MAP 1010 ipsec-isakmp

description peer2

set peer public-peer-2

set transform-set AES128

match address 2060

reverse-route


crypto map VPN_MAP 1030 ipsec-isakmp

description peer3

set peer public-peer-3

set transform-set AES128

match address 2061

reverse-route


the crypto map is then applied on the outgoing interface


see


http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_vpn_ipsec_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1047631


you need also to define the transform set that specify what encryption to use


Hope to help

Giuseppe


mfawehin Wed, 03/04/2009 - 22:16
User Badges:

Wow, as always Giuseppe thank you for your comprehensive, examplary post. I will amend the sample you sent and let you know how I get on. Again, many thanks, Martha.

mfawehin Wed, 03/04/2009 - 22:56
User Badges:

Giuseppe, what does the reverse-route command achieve?

Giuseppe Larosa Thu, 03/05/2009 - 00:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Martha,

I took this example from my production network with some changes.


the reverse-route command provides reverse-route injection that allows to create static routes to remote site during the ipsec tunnel is up.


We have a Stateful IPsec pair or routers that are two C7206VXR with NPE-G2 and 12.4(20)T advance_enterprise


I think the command can help in a redundant environment


see


http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_r2.html#wp1040683


if I remember correctly you are going to use a PIX pair I'm not sure the command is available.


Hope to help

Giuseppe


mfawehin Thu, 03/05/2009 - 01:20
User Badges:

Thanks Giuseppe.

The pair is actually 7301 routers so I'll check but I'm almost certain it'll be fine.

Actions

This Discussion