Selective VPNs based on location

Unanswered Question
Apr 21st, 2009

Hello,

I have recently been tasked at my job with trying to configure a one-off. I have a Cisco 2811 that normally has a VPN connection back to our main office via a single interface. My crypto looks like the following:

crypto ipsec client ezvpn TEST

connect auto

group TEST key TEST

mode network-extension

peer 192.168.1.1

username test password test1

xauth userid mode local

I have a SVI configured as follows:

interface Vlan2

description **FW_INSIDE**

ip address 10.1.0.160 255.255.255.224

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

no autostate

crypto ipsec client ezvpn TEST inside

My Serial interface configuration as follows:

interface Serial0/0/0.1 point-to-point

ip address 172.16.1.5 255.255.255.252

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

no cdp enable

frame-relay interface-dlci 500 IETF

crypto ipsec client ezvpn TEST

The configuration works just fine. What I've been asked to do though is giving me problems. Lets say I have multiple Serial interfaces. And based on which one is turned on, or plugged in, it will utilize THAT serial interface to create the VPN tunnel.

So lets say I have Serial0 and Serial1. My company wants it that if Serial1 is plugged in, it will use Serial1 to create the tunnel. If Serial0 is plugged in and Serial0 is unplugged, it will use Serial0.

I hope the above nonsense actually makes sense. Basically, when this device is deployed, they don't want to have to go and do any reconfiguration on the router. They just want the system to be smart enough to know which interface is plugged in, up and active and use that interface to create the tunnel. Any assistance would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 04/23/2009 - 05:36

You could create a mulitlink interface and add each serial interface to the bundle. Then apply your crypto map to the multilink interface. This is of course assuming you can use the same IP on either/both serial interfaces.

Example-

interface Serial0/2/0:0

no ip address

encapsulation ppp

multilink

ppp multilink group 2

interface Serial0/2/1:0

no ip address

encapsulation ppp

ppp multilink

ppp multilink group 2

interface Multilink2

description MLPPP Link for Point-To-Point

ip ip address 172.16.1.5 255.255.255.252

ip route-cache flow

no ip mroute-cache

crypto ipsec client ezvpn TEST

ppp multilink

ppp multilink links maximum 4

ppp multilink group 2

ppp multilink fragment disable

Hope that helps.

Actions

This Discussion