Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
5
Helpful
3
Replies

terminate multiple VPN tunnels at main site router

richmorrow624
Level 1
Level 1

‎12-17-2006 05:12 PM - edited ‎02-21-2020 02:46 PM

I am trying to set a VPN router to be the hub for numerous remote site VPN tunnels.

At the moment, one peer is established and passing traffic with no problem.

I have tried to configure an additional tunnel at the main site and debugs on the peer tell me that the policy is not matched.

When I launch the "mirror config" from ASDM, it looks like my config is correct, but I am wondering if I have a fundamental misunderstanding how the hub is supposed to be set up.

When I look at the config of the hub router with ASDM, it shows only one VPN configured and will not allow another VPN to be added.

The transform set is different on the two tunnels and this is where I think my problem lies.

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxx 21.x.4.3 no-xauth

crypto isakmp key xxxxxxxx 6.x.1.2 no-xauth

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set 1 esp-3des esp-sha-hmac

crypto ipsec transform-set 2 esp-3des esp-md5-hmac

!

crypto ipsec profile 1

set transform-set To_1

!

crypto ipsec profile 2

set transform-set To_2

!

!

crypto map To_2 ipsec-isakmp

set peer 6.x.x.2

set transform-set 2

match address 101

!

!

crypto map To_1 ipsec-isakmp

set peer 21.3.4.3

set transform-set 1

match address 100

Labels:
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎12-17-2006 10:39 PM

Hi Richard

On seeing your config i am not sure whether you have the same crypto map with different sequence numbers to your remote peers with corresponding policies attached to it ..

I would suggest to create crypto maps with same name but with different sequence numbers with respective policies attached to it..

you can also refer the below link for framing the policies and map with different sequence numbers..

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

regds

richmorrow624
Level 1
Level 1
In response to spremkumar

‎12-18-2006 04:33 AM

Thanks for the reply.

Is this the only way to set this up?

There is no way to set up seperate tunnels?

0 Helpful

attrgautam
Level 5
Level 5
In response to richmorrow624

‎12-18-2006 08:42 PM

Yes sadly that is the only way to do it as only one crypto map can be applied per interface. So for multiple peers you need to have the same crypto map with multiple sequence numbers. During the IPsec negotiation, all policies are checked sequentially based on the match of the transform set and access-list to setup the SA

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents