Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
3
Helpful
4
Replies

IOS VPN - Hub and Spoke Configuration

javiero_2
Level 1
Level 1

‎12-15-2003 02:08 PM - edited ‎02-21-2020 12:57 PM

Hello All,

I am working on a project to create a hub-and-spoke VPN for a company that has 50+ branches. Their head-end router is a 7200 and each branch has 2600 routers.

The Crypto ACLs will basically be the same for all peers since the remote branch subnets can be summarized by a 16-bit mask. This will reduce the number of Crypto ACLs created for each crypto map.

I am assuming I can share the same Crypto ACL between crypto maps.

If I can use the same Crypto ACL for each crypto map, could I just use the one crypto map for all peers and just add multiple 'set peer' statements?

What I am trying to do is avoid the 50+ crypto maps and Crypto ACLs in the config.

Any help will be appreciated.

Thanks,

Javier

Labels:
0 Helpful
4 Replies 4

gfullage
Cisco Employee
Cisco Employee

‎12-18-2003 05:18 PM

Each peer has to have a separate crypto map instance and a separate access-list that defines unique traffic to that peer.

If you put more than one peer under one crypto map instance, then the second (and subsequent) peer is used only as a backup in the case the first peer goes down.

Keep in mind though, your access-list has to be different for each peer, so on the hub the source address can be the same but the destination subnet (for each peer) will be different.

0 Helpful

javiero_2
Level 1
Level 1
In response to gfullage

‎12-29-2003 02:26 PM

Thank you for your response.

I had tested the same crypto map with two set peer statements and it is working. This is probably because the crypto ACL includes all remote subnets that all fall within the same 16 bit mask.

I have looked for documentation that discusses how multiple peers are treated in a crypto map but cannot find anything.

It is currently working with the following config on the 7200 (hub VPN router).

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxxxxx address 0.0.0.0 no-xauth

!

!

crypto ipsec transform-set xxxxx_VPN esp-aes esp-sha-hmac

!

crypto map xxxxx_VPN 10 ipsec-isakmp

description VPN Tunnel to xxxx

set peer 172.16.x.x

set peer 172.16.x.x

set transform-set xxxxx_VPN

match address VPN_ACL

ip access-list extended VPN_ACL

remark VPN Tunnel to xxxx

permit ip any 10.x.0.0 0.0.255.255

However, I am worried that this is not a supported config even thought the show crypto ipsec sa shows both sa's.

0 Helpful

msheik
Level 1
Level 1
In response to javiero_2

‎12-30-2003 10:13 AM

I personally don't recommend for single Cryptomap, as incase if you have to troubleshoot/change peer IP of one location (due to ISP change..) it may effect both locations.

Thx

MS

0 Helpful

RYAN BARNES
Level 1
Level 1

‎01-09-2004 04:04 PM

Why not investigate deploying a DMVPN solution?

http://www.cisco.com/warp/public/105/dmvpn.html

Rather than create seperate crypto ACL's for each site, and having to manage 50+ tunnels, you can use NHRP to dynamically register the tunnel endpoints.

This reduces your hub router configuration substantially, and will simplify your spoke router config as well. This solution will also allow dynamic creation of tunnels between spokes, which will allow spokes to talk directly to spokes, rather than having to bounce off your Hub. (depends on your traffic patterns really)

Might be enough advantages there to investigate anyway!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents