12-15-2003 02:08 PM - edited 02-21-2020 12:57 PM
Hello All,
I am working on a project to create a hub-and-spoke VPN for a company that has 50+ branches. Their head-end router is a 7200 and each branch has 2600 routers.
The Crypto ACLs will basically be the same for all peers since the remote branch subnets can be summarized by a 16-bit mask. This will reduce the number of Crypto ACLs created for each crypto map.
I am assuming I can share the same Crypto ACL between crypto maps.
If I can use the same Crypto ACL for each crypto map, could I just use the one crypto map for all peers and just add multiple 'set peer' statements?
What I am trying to do is avoid the 50+ crypto maps and Crypto ACLs in the config.
Any help will be appreciated.
Thanks,
Javier
12-18-2003 05:18 PM
Each peer has to have a separate crypto map instance and a separate access-list that defines unique traffic to that peer.
If you put more than one peer under one crypto map instance, then the second (and subsequent) peer is used only as a backup in the case the first peer goes down.
Keep in mind though, your access-list has to be different for each peer, so on the hub the source address can be the same but the destination subnet (for each peer) will be different.
12-29-2003 02:26 PM
Thank you for your response.
I had tested the same crypto map with two set peer statements and it is working. This is probably because the crypto ACL includes all remote subnets that all fall within the same 16 bit mask.
I have looked for documentation that discusses how multiple peers are treated in a crypto map but cannot find anything.
It is currently working with the following config on the 7200 (hub VPN router).
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxx address 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set xxxxx_VPN esp-aes esp-sha-hmac
!
crypto map xxxxx_VPN 10 ipsec-isakmp
description VPN Tunnel to xxxx
set peer 172.16.x.x
set peer 172.16.x.x
set transform-set xxxxx_VPN
match address VPN_ACL
ip access-list extended VPN_ACL
remark VPN Tunnel to xxxx
permit ip any 10.x.0.0 0.0.255.255
However, I am worried that this is not a supported config even thought the show crypto ipsec sa shows both sa's.
12-30-2003 10:13 AM
I personally don't recommend for single Cryptomap, as incase if you have to troubleshoot/change peer IP of one location (due to ISP change..) it may effect both locations.
Thx
MS
01-09-2004 04:04 PM
Why not investigate deploying a DMVPN solution?
http://www.cisco.com/warp/public/105/dmvpn.html
Rather than create seperate crypto ACL's for each site, and having to manage 50+ tunnels, you can use NHRP to dynamically register the tunnel endpoints.
This reduces your hub router configuration substantially, and will simplify your spoke router config as well. This solution will also allow dynamic creation of tunnels between spokes, which will allow spokes to talk directly to spokes, rather than having to bounce off your Hub. (depends on your traffic patterns really)
Might be enough advantages there to investigate anyway!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: