Multiple Site to Site Tunnels

Unanswered Question
Dec 17th, 2009
User Badges:

I have to setup a router with multiple site to site tunnels.  I already have one of the tunnels established.  The subnets at each branch office will NOT overlap.

I am using NAT Overload w/static nat translations, I have a route map to except vpn traffic from the nat process.

crypto map intmap 5 ipsec-isakmp
set peer <Branch Office A>
set transform-set trans1
match address 130

route-map rock permit 10
match ip address 123
set ip next-hop
route-map nonat permit 10
match ip address 110

How do I add a crypto map that will do Branch Office B?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rick Morris Thu, 12/17/2009 - 12:52
User Badges:
  • Silver, 250 points or more

same as the first just increase the process number.  You have 5, use 10:

crypto map intmap 10 ipsec-isakmp

set peer

Mike Elliott Thu, 12/17/2009 - 12:56
User Badges:

Cool beans, that is what I thought.

Are there any caveats or best practices?  Should I expect to be able to route branch to branch traffic through the HQ? Or should I setup separate tunnels for that?

Rick Morris Thu, 12/17/2009 - 13:03
User Badges:
  • Silver, 250 points or more

Honestly, the best set-up for what I think you are looking for is DMVPN.

This allows you to build dynamic tunnels between offices without hair-pin routing via the Hub.  After the traffic stops between site to site it will tear the tunnel back down based on the timers you set-up.  This is accomplished via NHRP, with is a table that holds are next hops of all te tunnels.  So for instance site A wants to talk to site F.  Site A will send a look-up to the Hub asking for this info.  The hub will respond and site A and F will negotiate a tunnel.


This Discussion