Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Add a new ipsec connection to a interface (another session already working)

Hi , guys as tittle says :

I already have an ipsec session running.

Now I need to establish another ipsec tunnel with a different peer and not related traffic.

Documentation mention that it is not possible to asign more than one crypto map to an interface.

I only have a public interface, so how to achieve that??

btw: 

I also need to be sure about the config ... I can not turn down the existing connection.

Here is my config.

**********************************************************************************************************

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp key [someKey] address 200.222.222.1  

!

crypto ipsec transform-set MYTRANSFORM esp-3des esp-sha-hmac

!

crypto map MYMAP 10 ipsec-isakmp

description "site to site vpn to my remote"

set peer 200.222.222.1

set transform-set MYTRASNFORM

match address 150

!

interface GigabitEthernet0/1/1.10

encapsulation dot1Q 10

ip address 222.111.1.1 255.255.255.128

ip access-group 170 in

crypto map MYMAP

!

Extended IP access list 150

    10 permit tcp host 172.24.3.1 eq 8888 host 172.22.0.1 (2032 matches)

    20 permit ip 172.24.3.0 0.0.0.255 host 172.22.8.16

    30 permit ip 172.24.3.0 0.0.0.255 host 172.22.5.41

    40 permit ip 172.24.3.0 0.0.0.255 host 172.22.6.160 (64 matches)

Any help on that would be preciated ,

Thanks!!

Leo.

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: Add a new ipsec connection to a interface (another session a

Hi,

Essentially you use the existing Crypto Map

So looking at your existing configuration

  • Add a new "crypto isakmp policy x" UNLESS the existing matches the new connections parameters also
  • Add a new "crypto isakmp key" configuration for this new peer
  • Add a new "crypto ipsec transform-set" configuration UNLESS the existing matches the new connections parameters also
  • Add a new "access-list" that defines the local and remote networks for this L2L VPN
  • Add a new "crypto map MYMAP x ipsec-isakmp" to the existing one

So you might add something like that to the existing "crypto map"

crypto map MYMAP 20 ipsec-isakmp

description Connection 2

set peer x.x.x.x

set transform-set

match address

Especially notice the number used in the above "crypto map MYMAP 20 ipsec-isakmp"

So to my understanding rest of the configurations you will add like normal but for the Crypto Map you will require its own number/sequence number/order number.

Also remember to add NAT0 / NAT Exemption configurations.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

Super Bronze

Add a new ipsec connection to a interface (another session alrea

Hi,

Seems that you indeed dont need a new ISAKMP Policy.

When you do configure the new L2L VPN let us know how it goes.

Please do remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more though if there is problems.

- Jouni

8 REPLIES
Super Bronze

Re: Add a new ipsec connection to a interface (another session a

Hi,

Essentially you use the existing Crypto Map

So looking at your existing configuration

  • Add a new "crypto isakmp policy x" UNLESS the existing matches the new connections parameters also
  • Add a new "crypto isakmp key" configuration for this new peer
  • Add a new "crypto ipsec transform-set" configuration UNLESS the existing matches the new connections parameters also
  • Add a new "access-list" that defines the local and remote networks for this L2L VPN
  • Add a new "crypto map MYMAP x ipsec-isakmp" to the existing one

So you might add something like that to the existing "crypto map"

crypto map MYMAP 20 ipsec-isakmp

description Connection 2

set peer x.x.x.x

set transform-set

match address

Especially notice the number used in the above "crypto map MYMAP 20 ipsec-isakmp"

So to my understanding rest of the configurations you will add like normal but for the Crypto Map you will require its own number/sequence number/order number.

Also remember to add NAT0 / NAT Exemption configurations.

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

New Member

Re: Add a new ipsec connection to a interface (another session a

Dear JounyForss , I m waiting for a windows maintanane , will let you know my resutl, of course i will mark this topic as solved, thanks for your response !!

Leo.

Super Bronze

Add a new ipsec connection to a interface (another session alrea

Hi,

For some reason the page on this post is all messed up for me after the latest post.

But onto the subject,

I am not 100% sure about the "hash" part. I would assume it could be the default. I dont see any harm configuring another policy with the "hash" if you want to be sure.

You can probably see the current connections "hash" with the following command

show crypto isakmp sa detail

- Jouni

New Member

Re: Add a new ipsec connection to a interface (another session a

I founded this:

#####################################################cli output bellow

asr1002#show crypto isakmp policy

Global IKE policy
Protection suite of priority 1
    encryption algorithm:    Three key triple DES
    hash algorithm:        Secure Hash Standard
    authentication method:    Pre-Shared Key
    Diffie-Hellman group:    #2 (1024 bit)
    lifetime:        86400 seconds, no volume limit

############################################################################3

and my tunnel requierements are:

Authentication                Method

Preshared keys

Encryption                Scheme

tunnel mode

Diffie-Hellman                Group

group 2

Encryption                Algorithm

3DES

Hashing                Algorithm

SHA

Main or                Aggressive Mode

Main

Lifetime                (Re-Negotiation)

86400 sec.

My current policy matches , I think a dont need to add a new policy.

Thanks.

Super Bronze

Add a new ipsec connection to a interface (another session alrea

Hi,

Seems that you indeed dont need a new ISAKMP Policy.

When you do configure the new L2L VPN let us know how it goes.

Please do remember to mark a reply as the correct answer if it has answered your question.

Feel free to ask more though if there is problems.

- Jouni

New Member

Re: Add a new ipsec connection to a interface (another session a

Dear JounyForss, regarding :

  • Add a new "crypto isakmp policy x" UNLESS the existing matches the new connections parameters also
  • ..........
  • In the new peer requeriment I need to set:
  • 1st phase IKE:
  • Hashing Algorithm SHA.
  • ....
  • But if you take a look to my current crypto isakmp policy:
  • !

    crypto isakmp policy 1

    encr 3des

    authentication pre-share

    group 2

    !

  • there is nothing about Hashing algorithm.

  • .....
  • So my question is:
  • Is sha hashing algorithm the default algorithm? (maybe that is why it is not listed on the configuration)
  • How to confirm wich is the hashing algorithm used on my current session.
  • And finally ...
  • I will know if a need to create a new crypto policy.
  • THKS!
  • New Member

    Re:Add a new ipsec connection to a interface (another session al

    Try this https://supportforums.cisco.com/thread/2045221


    Sent from Cisco Technical Support Android App

    Re:Add a new ipsec connection to a interface (another session al

    an exmaple for that will be as follows:

    crypto isakmp policy 1

    encr 3des

    authentication pre-share

    group 2

    crypto isakmp policy 20

    encr 3des

    authentication pre-share

    group 2

    !

    crypto isakmp key [someKey] address 200.222.222.1

    crypto isakmp key [someKey] address 1.1.1.1

    !

    crypto ipsec transform-set MYTRANSFORM esp-3des esp-sha-hmac

    crypto ipsec transform-set MYNEWTRANSFORM esp-3des esp-sha-hmac

    !

    crypto map MYMAP 10 ipsec-isakmp

    description "site to site vpn to my remote"

    set peer 200.222.222.1

    set transform-set MYTRASNFORM

    match address 150

    crypto map MYMAP 20 ipsec-isakmp

    description "site to site vpn to my remote"

    set peer 1.1.1.1

    set transform-set MYNEWTRASNFORM

    match address 20

    !

    interface GigabitEthernet0/1/1.10

    encapsulation dot1Q 10

    ip address 222.111.1.1 255.255.255.128

    ip access-group 170 in

    crypto map MYMAP

    !

    Extended IP access list 150

        10 permit tcp host 172.24.3.1 eq 8888 host 172.22.0.1 (2032 matches)

        20 permit ip 172.24.3.0 0.0.0.255 host 172.22.8.16

        30 permit ip 172.24.3.0 0.0.0.255 host 172.22.5.41

        40 permit ip 172.24.3.0 0.0.0.255 host 172.22.6.160 (64 matches)

    IP ACCESS LIST extended 20

    permit tcp x.x.x.x x.x.x.x

    Jawad

    Jawad
    375
    Views
    0
    Helpful
    8
    Replies
    CreatePlease login to create content