03-04-2009 06:30 AM - edited 03-04-2019 03:48 AM
Hi everyone,
I apologise for posting this thread in this forum. I have also posted it in the vpn forum but find I always get a much quicker response here.
I wonder if anyone can help me please. I am setting up vpn tunnels between my site and 3 other sites (there is no connectivity required between these 3 sites).
I am using a Cisco 7301 as my endpoint and have a single IP address that all three sites have to use as their peer address to connect with my site.
Please help with the configuration of this, I am told it is possible to configure this but would like some assistance, any sample configs or pointers in the right direction will be gratefully received.
Cheers,
Martha
03-04-2009 07:19 AM
Hello Martha,
on your side you need to configure a crypto map with three blocks
something like
crypto isakmp key shared_pwd_C1 address public-peer-1
crypto isakmp key shared_pwd_C2 address public-peer-2
crypto isakmp key shared_pwd_C3 address public-peer-3
then three blocks with different sequence number like
crypto map VPN_MAP 1000 ipsec-isakmp
description peer1
set peer public-peer-1
set transform-set AES128
match address 2059
reverse-route
crypto map VPN_MAP 1010 ipsec-isakmp
description peer2
set peer public-peer-2
set transform-set AES128
match address 2060
reverse-route
crypto map VPN_MAP 1030 ipsec-isakmp
description peer3
set peer public-peer-3
set transform-set AES128
match address 2061
reverse-route
the crypto map is then applied on the outgoing interface
see
you need also to define the transform set that specify what encryption to use
Hope to help
Giuseppe
03-04-2009 10:16 PM
Wow, as always Giuseppe thank you for your comprehensive, examplary post. I will amend the sample you sent and let you know how I get on. Again, many thanks, Martha.
03-04-2009 10:56 PM
Giuseppe, what does the reverse-route command achieve?
03-05-2009 12:00 AM
Hello Martha,
I took this example from my production network with some changes.
the reverse-route command provides reverse-route injection that allows to create static routes to remote site during the ipsec tunnel is up.
We have a Stateful IPsec pair or routers that are two C7206VXR with NPE-G2 and 12.4(20)T advance_enterprise
I think the command can help in a redundant environment
see
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_r2.html#wp1040683
if I remember correctly you are going to use a PIX pair I'm not sure the command is available.
Hope to help
Giuseppe
03-05-2009 01:20 AM
Thanks Giuseppe.
The pair is actually 7301 routers so I'll check but I'm almost certain it'll be fine.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: