Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 2800 - Multiple VPNs Using Virtual-Template

Hello List,

I have a question related to the way of setting up multiple VPNs using

virtual-template configuration (Cisco calls this Dynamic VPN): how can

I make my configuration to be a "spoke" type VPN rather than "hub" type

without using "crypto map" on the physical interface?

Here is how it works now (the VPN hub config):

!!! the VPN hub config

!

crypto keyring PSKs

pre-shared-key address <peer_ip> key 6 ************

!

crypto isakmp profile ISAKMP_Profile

keyring PSKs

self-identity address

match identity address <peer_ip> 255.255.255.255

virtual-template 1

!

crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac

!

crypto ipsec profile IPSEC_Profile

set transform-set Transform_Set

set isakmp-profile ISAKMP_Profile

!

interface Loopback1007

description This is a public IP address from a range routed via my

gatey IP address (see bellow)

ip address <my_VPN-hub_ip> 255.255.255.255

no ip redirects

!

interface Multilink1

description This is my gateway IP address facing the ISP

ip address <my_public_IP> 255.255.255.252

no ip redirects

no ip unreachables

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly

rate-limit input access-group 102 8000 1500 2000 conform-action

transmit exceed-action drop

ip route-cache flow

no cdp enable

ppp multilink

ppp multilink fragment delay 20

ppp multilink interleave

ppp multilink group 1

ppp multilink multiclass

service-policy output qos_pm-outbound

!

interface Serial0/0/0

description 1st Serial Interface to ISP

bandwidth 2048

no ip address

encapsulation ppp

ip route-cache flow

no fair-queue

ppp multilink

ppp multilink group 1

!

interface Serial0/0/1

description 2nd Serial Interface to ISP

bandwidth 2048

no ip address

encapsulation ppp

ip route-cache flow

no fair-queue

ppp multilink

ppp multilink group 1

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1007

ip access-group vpn_acl-tunnel-encr-in in

ip access-group vpn_acl-tunnel-encr-out out

ip mtu 1400

ip route-cache flow

tunnel source Loopback1007

tunnel mode ipsec ipv4

tunnel sequence-datagrams

tunnel checksum

tunnel path-mtu-discovery

tunnel protection ipsec profile IPSEC_Profile

service-policy output qos_pm-VPN

!

ip access-list extended vpn_acl-tunnel-encr-in

permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255

!

ip access-list extended vpn_acl-tunnel-encr-out

permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255

!!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,

Cisco VPN concentrators)

!!! all follow the standard crypto map config on the physical

interface.

!!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt

It is obvious that with my router configured as a VPN hub, if the

tunnel dies, I need to wait for the peer to reset the tunnel, all this

time my clients in my network are not able to access the remote sites.

The reason to use the virtual-template interfaces as suppose to

traditional "crypto map" way, is that my peers do not want to share the

same VPN end-point between themselves (different companies all

together) and they are very strict in regards to ACLs. As I don't have

a VPN device for each one of them and their number increases (I have 5

separate tunnels right now with a potential grow to 15 in the next 3

months), I need to find a way to get rid of the hub config in my end (I

did not have much choice there when I migrated to this platform from a

linux box).

Pros for the Virtual-Template:

- separate QoS for each tunnel

- ACLs configured directly on the tunnel interface (grater flexibility)

- tunnel end-point IP address can be part of a range BGP advertised via

multiple ISP links

Cons:

- hub config, the tunnel needs to be reseted by the peer

Any help is very much appreciated. Thank you,

Adrian

1 REPLY
Bronze

Re: Cisco 2800 - Multiple VPNs Using Virtual-Template

430
Views
0
Helpful
1
Replies