help - two IPsec VPN

Unanswered Question
May 26th, 2009

Hi all,


I'd like to implement two IPsec VPN, one between two routers cisco 2811 and the other between one of the routers and a VPN Cisco Client.

My doubt is how to do it having like destination in both cases Fa0/0 from router 1.

I have this configuration in router 1,



crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2


crypto isakmp key mykey address xxx.xxx.xxx.xxx

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 103

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map clientmap


And I'd like to add 'crypto map IPSEC_VPN' to Fa0/0 but if I add this command the other crypto desappears.


Can anybody help me?


Thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 05/28/2009 - 05:40

You can only have one crypto map applied to an interface (which I'm sure you've figured out by now). Here's a configuration guide that should help.


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml


Also here is an excellent VPN troubleshooting guide.


http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml


Hope that helps.

usuario0001 Thu, 05/28/2009 - 23:16

And Can I have two VPN with the same crypto map? one for a site to site connection and the other one for a VPN with Cisco Client.


Thanks

Collin Clark Fri, 05/29/2009 - 04:59

You would have one dynamic crypto map that is applied to the interface, but the dynamic crypto map will use the two static crypto maps-the L2L and the client.

usuario0001 Thu, 06/04/2009 - 00:14

So the configuration can be something like this?


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!


crypto isakmp key mykey address xxx.xxx.xxx.xxx

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 103

!

crypto map IPSEC_VPN client authentication list userauthen

crypto map IPSEC_VPN isakmp authorization list groupauthor

crypto map IPSEC_VPN client configuration address respond

crypto map IPSEC_VPN 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map IPSEC_VPN



Thanks and regards

Actions

This Discussion