I have a 7206 router with multiple static site-to-site VPN tunnels to partner companies. Each of these companies needs their own secure encrypted traffic and using DMVPN is not an option. Currently, all tunnels are defined in one crypto map and the crypto map is applied to the physical outside interface on the 7206. There is an FWSM between the 7206 and the Internet. I am testing with a 2811 router as the other tunnel endpoint across the Internet.
What I would like to do is be able to make modifications to any of the tunnels, add new tunnels, and delete tunnels without affecting the operation of any of the other tunnels.
My first thought was to create tunnel interfaces on the 7206 using private point-to-point addresses with the other point residing on the FWSM, create a static translation on the FWSM pointing to the tunnel interface, and configure the tunnel interface with the crypto map normally applied to the physical interface, (with the addition of adding tunnel source and tunnel destination commands).
Network 220.127.116.11/24 ---- VPN HUB 7206 ---- FWSM ---- Evil Internet ---- VPN Spoke 2811 ---- Network 18.104.22.168/24
|____ Static Site-to-Site VPN Tunnel ___________|
7206 IOS Version: 12.4(22)T
2811 IOS Version: 12.4(19b)
This doesn't work, though. When I initiate interesting traffic from a network behind the 7206 the router seems to drop the packet. There is no log message whatsoever. When I initiate traffic from a network behind the 2811 I see lots of log messages. The 2811 begins Phase1 negotiation but an error indicates that the policies don't match. On the 7206 the error is more descriptive, indicating that the local address is invalid. NAT traversal is enabled by default and I see in the logs that the private address is found.
I opened a TAC case and the response was that crypto maps can only be applied to physical interfaces, not loopback, or tunnel, and I'm assuming not sub-interfaces either. What I don't understand is why.
Can someone please help me to determine the best solution to use for hosting multiple site-to-site VPN's such that modifications to one will not affect the operation of any other tunnel?
Thank you in advance,