I am a bit of a novice on these devices but can anyone help, I need to create a second tunnel using the same policy settings, the policy 20 is the current settings. How would I go about doing this, so far I have created most of the policy 21. This second tunnel is for a different peer.
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer aaa.aaa.aaa.aaa
crypto map outside_map 20 set transform-set ESP-AES-256-SHA
crypto map outside_map 21 ipsec-isakmp
crypto map outside_map 21 match address outside_cryptomap_21
crypto map outside_map 21 set peer bbb.bbb.bbb.bbb
crypto map outside_map 21 set transform-set ESP-AES-256-SHA
In both the "crypto map" and "isakmp policy" configurations the number listed in the command simply refers to a sequence/order/priority number.
So for example when VPN negotiation initiates the ones with the lower numeric value will get matched first until the correct match is found.
The numeric value in the "crypto map" and "isakmp policy" dont have anything to do with eachother.
Because of this if your new L2L VPN connections uses the same paramaters for Phase 1 then you wont have to add another ISAKMP Policy as the one required already exists. ISAKMP Policys configured on your firewall cant be attached to a certain VPN connection. Every one of your ISAKMP Policys are compared/matched against the remote VPN devices policys during the negotiation and then the match is found.
So simply dont configure the "isakmp policy 21" since its not needed
Hope this clarifies things
Please do remember to mark a reply as the correct answer if it answered your question.
The "crypto map" lines for different L2L VPN connections will always have their own number.
You only need additional "isakmp policy" configurations when you actually need to have different values for the Phase 1 negotiations. For example if you wanted to use 3DES/MD5 for the other connection then you would need policy for that.
Its partially working now. However I have a problem that the 'interesting traffic' for my original tunnel is bringing up the new VPN connection. I have checked my accesslists and it all looks good. Is the sequence number that is set on the crypto map outside_map going to be a problem if they are so close ?
If you generate traffic from your end then it will only match one section of the Crypto Map and should have not have anything to do with the new connections configurations. Only if your traffic doesnt match the lower numeric value entry in the Crypto Map will it be matched again the next entry.
If it has already mathced the "crypto map outside_map 20" then it wont match the "crypto map outside_map 21"
Are you sure that the remote device is not bringing up the VPN tunnel.
As I dont know your NAT/ACL configurations related to these L2L VPN connections its hard for me to say if there is anything special with the situation.
The numeric value in the "crypto map" configurations shouldnt really matter since the traffic should only match single configuration in the "crypto map". Usually the main thing is that all the L2L VPN "crypto map" configurations are of lower numeric value compared to the dynamic entries meant for VPN Client in the "crypto map" which should be last.
I think the remote site may be bringing the tunnel up (I am getting lots of debug crypto isakmp traffic without sending interesting traffic). I am getting this for both the old tunnel and the new tunnel which I assume wouldn't of been a problem when there was only a single tunnel.
I am talking to my contact at the other end and getting them to check their configuration to find out if this is the case.
I take it without interesting traffic from my end there should be no debug crypto isakmp traffic, is that correct or is there a keepalive type scenario that could be trying to keep the tunnels alive ?
many thanks, you have been most helpful, hope to get it fixed today
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :