Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Dynamic and non-dynamic tunnels

I have a router that has a dynamic connection to a site. The vendor is changing to a new site that will be using traditional ACL and VPN. It is my understanding that I must use two separate crypto maps for this. Since all the traffic originates on the same ingress ethernet port how do I get it so both tunnels can be triggered? I have created null interfaces but obviously the traffic won't go through them.

I know I am missing something obvious here.

1 REPLY
New Member

Re: Dynamic and non-dynamic tunnels

"I have a router that has a dynamic connection to a site."

It sounds like you may be using EzVPN now. Are you? If you are and need to change to a regular LAN to LAN setup then you may need to use Tunnel Endpoint Discovery.

(config)#crypto isakmp key PASSWORD 0.0.0.0 0.0.0.0

--------------------------------------------------

"Since all the traffic originates on the same ingress ethernet port how do I get it so both tunnels can be triggered?"

If all you need to do is create a different tunnel to each site then you have already answered your question. Use 2 Crypto Map statements.

You can terminate more than one tunnel on the same interface (using several crypto map statements that reference different IPSec peers or by using DMVPN). You just can't bind more than one actual crypto map on the same interface.

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 102 permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

crypto map VPNTRAFFIC 20 ipsec-isakmp

match address 102

set transform-set WHATEVERYOUUSE

set peer 122.2.2.2 (site 2 old)

crypto map VPNTRAFFIC 30 ipsec-isakmp

match address 103

set transform-set WHATEVERYOUUSE

set peer 133.3.3.3 (site 3 new)

interface e0 (the External Interface)

ip address dhcp

crypto map VPNTRAFFIC

interface e1 (the LAN Interface)

ip address 10.1.1.1 255.255.255.0

traffic from site 1 (your LAN 10.1.1) going to site 2 (10.1.2) will create a Security Association with peer 2.2.2.2

traffic from site 1 (your LAN 10.1.1) going to site 3 (10.1.3) will create a Security Association with peer 3.3.3.3

--------------------------------------------

once again.......

**make sure (if it is a dynamic connection) you use Tunnel Endpoint Discovery on the Non Dynamic Endpoint (the one with a static IP Address). You do not have to use the 'peer' statements on the routers with 'dynamic' connections

(config)#crypto isakmp key PASSWORD 0.0.0.0 0.0.0.0

Cisco has alot of documentation on this, but here is also some info from my site: http://www.getconnected-it.com.phtemp.com/infoarch.html

hope this helps

161
Views
0
Helpful
1
Replies
CreatePlease to create content