×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map

Unanswered Question
Jul 9th, 2012
User Badges:

Hi.


I am trying to setup a dynamic IPSEC VPN.


Setup is;


- one 7200 as VPN concentrator

- mulitple remote CPE connected via 3G Internet doing IPSEC with the concentrator


Objectives are:

- Remote CPE to another remote CPE traffic

- Remote CPE to 7200 VPN Concentrator local LAN




crypto dynamic-map custC-map 10

set transform-set IPSEC

set isakmp-profile custC-profile

match address 104

crypto dynamic-map custC-map 20

set transform-set IPSEC

set isakmp-profile custC-profile

match address 105

crypto dynamic-map custC-map 30

set transform-set IPSEC

set isakmp-profile custC-profile

match address 106

crypto dynamic-map custC-map 40

set transform-set IPSEC

set isakmp-profile custC-profile

match address 108

crypto dynamic-map custC-map 50

set transform-set IPSEC

set isakmp-profile custC-profile

match address 109

local LAN



My config is a single Phase 1, but mulitple Phase 2.


Is it possible to have inter-site traffic via the hub using the same IPSEC phase1?

My simulation in GNS3 is intermittent when traffic is inter-site.

But when traffic is from the tunnel to a local destination within the concentrator, it works fine.




VPN Concentrator Config:


crypto keyring custC-key vrf FVRF-C

  pre-shared-key address 0.0.0.0 0.0.0.0 key customerC


crypto isakmp policy 1

encr 3des

authentication pre-share

group 2



crypto isakmp profile custC-profile

   vrf VRF-C

   keyring custC-key

   match identity address 0.0.0.0 FVRF-C


crypto dynamic-map custC-map 10

set transform-set IPSEC

set isakmp-profile custC-profile

match address 104

crypto dynamic-map custC-map 20

set transform-set IPSEC

set isakmp-profile custC-profile

match address 105

crypto dynamic-map custC-map 30

set transform-set IPSEC

set isakmp-profile custC-profile

match address 106

crypto dynamic-map custC-map 40

set transform-set IPSEC

set isakmp-profile custC-profile

match address 108

crypto dynamic-map custC-map 50

set transform-set IPSEC

set isakmp-profile custC-profile

match address 109




Problem: Remote CPE to another Remote CPE LAN-to-LAN ping test is intermittent.


Is this  setup possible? OR has to be a totally different ipsec tunnel per CPE to work?

Comments?


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
alanwright1 Tue, 09/17/2013 - 08:32
User Badges:

Anyone got any ideas why spoke to spoke is intermittent?

Actions

This Discussion

Related Content