×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

help - two IPsec VPN

Unanswered Question
May 26th, 2009
User Badges:

Hi all,


I'd like to implement two IPsec VPN, one between two routers cisco 2811 and the other between one of the routers and a VPN Cisco Client.

My doubt is how to do it having like destination in both cases Fa0/0 from router 1.

I have this configuration in router 1,



crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2


crypto isakmp key mykey address xxx.xxx.xxx.xxx

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 103

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map clientmap


And I'd like to add 'crypto map IPSEC_VPN' to Fa0/0 but if I add this command the other crypto desappears.


Can anybody help me?


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 05/28/2009 - 05:40
User Badges:
  • Purple, 4500 points or more

You can only have one crypto map applied to an interface (which I'm sure you've figured out by now). Here's a configuration guide that should help.


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml


Also here is an excellent VPN troubleshooting guide.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml


Hope that helps.

usuario0001 Thu, 05/28/2009 - 23:16
User Badges:

And Can I have two VPN with the same crypto map? one for a site to site connection and the other one for a VPN with Cisco Client.


Thanks

Collin Clark Fri, 05/29/2009 - 04:59
User Badges:
  • Purple, 4500 points or more

You would have one dynamic crypto map that is applied to the interface, but the dynamic crypto map will use the two static crypto maps-the L2L and the client.

usuario0001 Thu, 06/04/2009 - 00:14
User Badges:

So the configuration can be something like this?


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!


crypto isakmp key mykey address xxx.xxx.xxx.xxx

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 103

!

crypto map IPSEC_VPN client authentication list userauthen

crypto map IPSEC_VPN isakmp authorization list groupauthor

crypto map IPSEC_VPN client configuration address respond

crypto map IPSEC_VPN 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map IPSEC_VPN



Thanks and regards

Actions

This Discussion