IPSec to multiple sites through a single physical interface?

nihal.akbulut · ‎11-05-2003

Hi,

I have problem about IPsec. My 7200 has only one physical interface to internet. And I have many customer sites. I have to establish IPsec to some customer routers over internet. Normally the way is create a single crypto map with different sequence number for each customer site and apply it to out interface. But I can't do this because the IP addresses overlaps on customer sites. So I have seperate vrfs for each customer site. I'm confused at this point. How will I do ipsec to different sites with vrfs?

umedryk · ‎11-11-2003

I think you can use the crypto maps even with overlapping address, I guess that would be simpler.

MMostert · ‎11-11-2003

I assume the public IP addresses of the VPN router at customer premisses does not overlap with other customers. IF this is the case there should be no problem setting up the IPSEC tunnels.

In case customer internal networks are overlapping then GRE tunneling in combination with NAT could be a solution.

nihal.akbulut · ‎11-12-2003

thanks for your time. actually I found a solution. there is a new feature that isakmp profile. as you said, normally with no overlapping customer networks it's possible to make a long crypto map. and selection is made based on match adress statements. But in my scenerio customer networks overlaps. with the new isakmp profile feature the selection is made based on peer ip address and it fixes my problem. also with this new feature you can add different vrfs to seperate parts of crypto map.

thanks again..