Can 2 IPSec profiles attach to a WAN interface crypto-map?

Answered Question
Apr 22nd, 2009
User Badges:

using IOS firewall on a 2811, management wants to have VPN peer redundancy on the 2811 remote office two different regional 3030 concentrators. The remote 2811 has a current VPN LAN-to-LAN with one of the 3030s. There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router. Question is how would one configure the 2811 to support two different VPN peers with one LAN going to one VPN peer and the other LAN going to the other VPN peer?

Correct Answer by Jon Marshall about 8 years 1 month ago

Kevin


Apologies but i'm obviously having one of my stupid days because i'm still not fully understanding.


crypto map ctmap 10 ipsec-isakmp

set peer 141.x.1.12

set peer 141.1.x.12

set transform-set ctset

match address 102


what the above will do is use 141.x.1.12 as the VPN peer. If that VPN peer is down for some reason then 141.1.x.12 will be used instead. So this does provide some level of redundancy.


Where i'm getting a bit confused is from your original description ie.


"There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router."


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 04/23/2009 - 01:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


If i understand correctly you have 2 lans behind your 2811 and you want one to go to one peer and one to go to the other ?


If so then you just have multiple entries in your crypto map on the 2811.


Perhaps you could elaborate so i we can give good advice ?


Jon

ksvy_ksvy Thu, 04/23/2009 - 04:34
User Badges:


hi Jon,


The current VPN solution is a 515e 6.3(5) to 3030 LAN-to-LAN IPSec connection.

This will be moved over to a 2811 12.4 IOS Firewall (replaces the 515e) to 3030 LAN-to-LAN IPSec connection.

Next, create another IPSec profile on the 2811 router which will have it's own LAN-to-LAN IPSec connection to a different 3030 concentrator.


so far example would the IPSec map look like this?

!

crypto map ctmap 10 ipsec-isakmp

set peer 141.x.1.12

set peer 141.1.x.12

set transform-set ctset

match address 102

!

thanks, Kevin


Correct Answer
Jon Marshall Thu, 04/23/2009 - 05:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Apologies but i'm obviously having one of my stupid days because i'm still not fully understanding.


crypto map ctmap 10 ipsec-isakmp

set peer 141.x.1.12

set peer 141.1.x.12

set transform-set ctset

match address 102


what the above will do is use 141.x.1.12 as the VPN peer. If that VPN peer is down for some reason then 141.1.x.12 will be used instead. So this does provide some level of redundancy.


Where i'm getting a bit confused is from your original description ie.


"There will be two separate Ethernet LAN connections and one Ethernet WAN connection to the ISP edge router."


Jon

ksvy_ksvy Thu, 04/23/2009 - 06:19
User Badges:


Jon, change of plan, we're going to seperate the remote site's two LANs and assign one to one IPSec peer profile and the other LAN to the other IPSec peer.. so, there'll be just one crypto-map -w- two crypto-map ID policies... something like - crypto-map cap 10 & crypto cap 20 , thanks

Actions

This Discussion