Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Selective VPNs based on location


I have recently been tasked at my job with trying to configure a one-off. I have a Cisco 2811 that normally has a VPN connection back to our main office via a single interface. My crypto looks like the following:

crypto ipsec client ezvpn TEST

connect auto

group TEST key TEST

mode network-extension


username test password test1

xauth userid mode local

I have a SVI configured as follows:

interface Vlan2

description **FW_INSIDE**

ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

no autostate

crypto ipsec client ezvpn TEST inside

My Serial interface configuration as follows:

interface Serial0/0/0.1 point-to-point

ip address

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

no cdp enable

frame-relay interface-dlci 500 IETF

crypto ipsec client ezvpn TEST

The configuration works just fine. What I've been asked to do though is giving me problems. Lets say I have multiple Serial interfaces. And based on which one is turned on, or plugged in, it will utilize THAT serial interface to create the VPN tunnel.

So lets say I have Serial0 and Serial1. My company wants it that if Serial1 is plugged in, it will use Serial1 to create the tunnel. If Serial0 is plugged in and Serial0 is unplugged, it will use Serial0.

I hope the above nonsense actually makes sense. Basically, when this device is deployed, they don't want to have to go and do any reconfiguration on the router. They just want the system to be smart enough to know which interface is plugged in, up and active and use that interface to create the tunnel. Any assistance would be greatly appreciated.


Re: Selective VPNs based on location

You could create a mulitlink interface and add each serial interface to the bundle. Then apply your crypto map to the multilink interface. This is of course assuming you can use the same IP on either/both serial interfaces.


interface Serial0/2/0:0

no ip address

encapsulation ppp


ppp multilink group 2

interface Serial0/2/1:0

no ip address

encapsulation ppp

ppp multilink

ppp multilink group 2

interface Multilink2

description MLPPP Link for Point-To-Point

ip ip address

ip route-cache flow

no ip mroute-cache

crypto ipsec client ezvpn TEST

ppp multilink

ppp multilink links maximum 4

ppp multilink group 2

ppp multilink fragment disable

Hope that helps.