Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

two-ways VPN connection

I have two router on the internet. One of them establish a VPN connection with the other one. This work well, but I want to make a VPN in a "two-way" connection. The first router can establish the VPN to the second router and the second to the first.

Thank

6 REPLIES

Re: two-ways VPN connection

Hello,

Post your configs and we can help you with it. Pretty much your going to mirror what you have on the current router initiating the connection on the second router.

Patrick

New Member

Re: two-ways VPN connection

Router 1

crypto isakmp key TestrdoVPN address 0.0.0.0 0.0.0.0

no-xauth

crypto dynamic-map vpn-dynamic 10

set transform-set vpn-des vpn-3des

set pfs group2

match address 199

crypto map vpn-client 1 ipsec-isakmp dynamic vpn-dynamic

access-list 199 permit ip 10.200.1.0 0.0.0.255 10.200.2.0 0.0.0.255

access-list 199 permit ip 172.200.1.0 0.0.0.255 172.200.2.0 0.0.0.255

Router 2

crypto isakmp key TestrdoVPN address 1.1.1.1 no-xauth

crypto map vpn-client 50 ipsec-isakmp

set peer 1.1.1.1

set transform-set vpn-3des

set pfs group2

match address 199

access-list 199 permit ip 10.200.2.0 0.0.0.255 10.200.1.0 0.0.0.255

access-list 199 permit ip 172.200.2.0 0.0.0.255 172.200.1.0 0.0.0.255

Silver

Re: two-ways VPN connection

Router 1

crypto isakmp key TestrdoVPN address 2.2.2.2 no-xauth

crypto map vpn-client 50 ipsec-isakmp

set peer 2.2.2.2

set transform-set vpn-3des

set pfs group2

match address 199

access-list 199 permit ip 10.200.1.0 0.0.0.255 10.200.2.0 0.0.0.255

access-list 199 permit ip 172.200.1.0 0.0.0.255 172.200.2.0 0.0.0.255

This should do on the router 1

New Member

Re: two-ways VPN connection

Did I have something to remove?

Silver

Re: two-ways VPN connection

If these are the only sites then you can just have this config, if there are many more sites which need the dynamic ipsec, you can have that too with the static ipsec ensure that the static ipsec comes bfor the dynamic ipsec in the crypto sequence.

Hall of Fame Super Gold

Re: two-ways VPN connection

I think that Gautam is saying something implicitly and I think it may help to make it explicit. The original config uses dynamic cyrpto map. The advantage of dymanic crypto map is that it can support multiple remote peers without having to configure any remote peers. But dymanic crypto map sessions can only be initiated from the remote.

Gautam is suggesting that router 1 change from dynamic crypto map to static crypto map (at least for the connection to router 2). The advantage of static crypto map is that either peer may initiate the connection. But static crypto map must explicitly configure each remote peer.

So whether anything needs to be removed depends on whether there are other remote peers. My guess, based on what is contained in the original post, is that there are only two routers involved in this. If that is so, then remove the dynamic crypto map and replace it with the static crypto map. If there are other remote peers then retain the dynamic crypto map.

HTH

Rick

239
Views
0
Helpful
6
Replies
CreatePlease to create content