Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Adding a 3rd site to existing 876 VPN routers


I have 2 876 routers which connect trough a GRE IPsec tunnel. Also the routers by default use the ISDN port as backup in case the DSL fails.

I have 2 questions

a. If a add a 3rd site do i need to configure a separate GRE tunnel/crypto map etc or just add the details of the 3rd site to my existing config?

b. I saw that through SDM i only have the option of inserting the 'dial string' of the remote site. In this scenario i need to configure dialer map for each remote site. Will it work in 876 so that the central site dial to 2 separate destinations?

Please repply if you have any info because i am troubled if i need to keep 876 for my central site or upgrade to 1841 model, which is quite expensive.

many thanks



Re: Adding a 3rd site to existing 876 VPN routers


876 routers support 10 ipsec tunnels so you won't need to upgrade.

To configure the new site then just add it as a seperate VPN tunnel. I imagine you'll want to create a mesh? You can then setup your routing layer to reflect your chosen topology.


New Member

Re: Adding a 3rd site to existing 876 VPN routers

Greetings and thanks gor your quick reply. I feel puzzled in 2 things.

1.My current tunnel from central to site 1 is in subnet 10.0.0.X / and .2)

Can the new tunnel for site 2 be or a new subnet e.g. is required?

2. I run 'show startup config' and found 2 crypto isakamp policys. See below (i have removed the real ip addresses with x1, x2,x3). How can i check which one is currently used?

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp policy 2

encr 3des

group 2

crypto isakmp key xxxxx address x1

crypto isakmp key xxxxx address x2

crypto isakmp key xxxxx address x3



crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to x2

set peer x2

set transform-set ESP-3DES-SHA

match address 100


interface Tunnel1

ip address

qos pre-classify

keepalive 1 3

tunnel source Dialer1

tunnel destination x2



interface Dialer1

description $FW_OUTSIDE$

ip address xxxxxx

ip access-group 107 in

ip nat outside

ip inspect SDM_MEDIUM out

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

no cdp enable

ppp authentication xxxx

ppp chap hostname xxxxx

ppp chap password 7 xxxxx

ppp pap sent-username xxxxxx password 7 xxxx

crypto map SDM_CMAP_1

I need to do this setup on an already configured router and my experience is basic so please be as descriptive as possible.

Again, thanks for your time :)