cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12511
Views
5
Helpful
14
Replies

Site to Multi site VPN setup.

Chris Izatt
Level 1
Level 1

I currently can do a site to site VPN betweeen two routers, but I need a little help on how to add another site to the config. The remote sites only need to talk to the core router so I shouldn't need GRE, but I am not for sure what is the right way to add the extra hosts. It seems I can only add one crypto map to one physical interface so how do you add hte other site?

This is the set of commands I run to get the site to  site up and going what else do i need to add? Sorry for being a newb.

Router(config)#crypto isakmp policy 9

Router(config-isakmp)#hash sha

Router(config-isakmp)#authentication pre-share

Router(config)#crypto isakmp key <Keypass Key Router VPN Key> address <other router ip address>

Router(config)#crypto ipsec security-association lifetime seconds 86400

Router(config)#access-list 110 permit ip any any

Router(config)#crypto ipsec transform-set Test esp-3des esp-sha-hmac

Router(config)#crypto map Test 1 ipsec-isakmp

Router(config-crypto-map)#set peer <other router IP Address>

Router(config-crypto-map)#set transform-set Test

Router(config-crypto-map)#match address 110

Router(config-if)#crypto map Test *\run command on the int of the VPN

1 Accepted Solution

Accepted Solutions

nkarthikeyan
Level 7
Level 7

Hi Chris,

You can do that. Source peer ip address will be one address that is your outside address. But you can have multiple destination peers and policies that can be assigned to the same router.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

the above document helps you better. That is a basic documentation. But that will give you an idea.

Please do rate if the given information helps.

By

Karthik

View solution in original post

14 Replies 14

nkarthikeyan
Level 7
Level 7

Hi Chris,

You can do that. Source peer ip address will be one address that is your outside address. But you can have multiple destination peers and policies that can be assigned to the same router.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

the above document helps you better. That is a basic documentation. But that will give you an idea.

Please do rate if the given information helps.

By

Karthik

Thanks for the reply. I am still not for sure how to set the other peers. So I do create a seperate crypto map for each router connecting the core correct? If so how do they get applied to the interface? If not then what am I missing?

When I run this

crypto map Test

and this

crypto map outside

on the same interface only outside is enabled on the interface and it bumps Test, so what am I missing? Most likely something silly, but I am just not following what is needed.

Thanks

Is the key in this command

crypto map Test 1 ipsec-isakmp

with the number being the different entries? So multiaple entries using a different number and the same Map name?

You will have to create another sequence number in your crypto map that will match the interesting traffic and assign it to the peer.

Here is a configuration example of how to do this:

http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1036953

The commands that you need are here:

hq-sanjose(config)# crypto map s4second 2 ipsec-isakmp

in your case the new command will crypto map Test 2 ipsec-isakmp then you will match the traffic, set the peer, and then set the transform set that you want to use.

Also here is another thread that addresses the same concern and the topic of dmvpn is discussed there which may be something to consider as well.

https://supportforums.cisco.com/thread/2161496

Thanks,

Tarik Admani
*Please rate helpful posts*

Well i deleted the wrong post. I can ping 192.168.2.1 to 192.168.2.2 and the other way, but cannot ping 192.168.2.1 to 192.168.2.3

I configed the two remote routers the same so I am not for sure what I am missing. Thanks for the help.

CORE ROUTER

r1#sh run

Building configuration...

Current configuration : 1043 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname r1

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.2

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.2

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

crypto map Test 2 ipsec-isakmp

set peer 192.168.2.3

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.1 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip any any

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

ROUTER 1

r2#sh run

Building configuration...

Current configuration : 894 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname r2

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.2 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip any any

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

ROUTER 2

r3#sh run

Building configuration...

Current configuration : 894 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname r3

!

!

!

!

!

!

!

!

crypto isakmp policy 9

authentication pre-share

!

crypto isakmp key Test1234 address 192.168.2.1

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Test esp-3des esp-sha-hmac

!

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.1

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface FastEthernet0/0

ip address 192.168.2.3 255.255.255.0

duplex auto

speed auto

crypto map Test

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

!

!

access-list 110 permit ip any any

!

!

!

!

!

line con 0

line vty 0 4

login

!

!

!

end

Any ideas? the site to site works when i take the second entry out. I am at a loss sure seems like it should be working.

When i just have this one it works:

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.2

set security-association lifetime seconds 86400

set transform-set Test

match address 110

When I have both in the main router for the site to multi site only one connects:

crypto map Test 1 ipsec-isakmp

set peer 192.168.2.2

set security-association lifetime seconds 86400

set transform-set Test

match address 110

!

crypto map Test 2 ipsec-isakmp

set peer 192.168.2.3

set security-association lifetime seconds 86400

set transform-set Test

match address 110

Hi Chris,

Sorry to dig up an old thread, but I see that there was no resolution for your issue posted here.

Did you manage to resolve your issue - I have run into the same problem and was hoping to find the resolution in your thread.

Thanks a mil,

Try looking at this and post back with any questions. 

 

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

 

I am trying to configure the same thing with one core and 3 sites only site 1 can ping to core router loopback i.e IPSEC tunnel is UP but site 2 and site3 cannot ping to core router loopback. Any suggestions ?

What does the config look like? 

 

Also do site 2 and 3 vpn's come up? 

 

Are the acl's correct? 

 

tytryuy8
Level 1
Level 1

@Chris Izatt 

HI Chris, i have the same problem as you did. did you solve it?

tytryuy8
Level 1
Level 1

@Chris Izatt 

HI Chris, i have the same problem as you did. did you solve it?

Jackong
Level 1
Level 1

@Chris Izatt

I have some few inquireies about your configuration.... are all R1, R2 and R3 have routing protocol running in between? If yes, are the inside network included in the routing?
if No, there are missing configurations from your routers which is the NAT

if you will be using NAT, needed to create separate ACL for VPN traffic purposes only and need to deny NAT Ip address which will traverse to VPN traffic

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: