Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
505
Views
0
Helpful
4
Replies

help - two IPsec VPN

usuario0001
Level 1
Level 1

‎05-26-2009 07:18 AM - edited ‎02-21-2020 04:14 PM

Hi all,

I'd like to implement two IPsec VPN, one between two routers cisco 2811 and the other between one of the routers and a VPN Cisco Client.

My doubt is how to do it having like destination in both cases Fa0/0 from router 1.

I have this configuration in router 1,

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp key mykey address xxx.xxx.xxx.xxx

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 103

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map clientmap

And I'd like to add 'crypto map IPSEC_VPN' to Fa0/0 but if I add this command the other crypto desappears.

Can anybody help me?

Thanks in advance

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎05-28-2009 05:40 AM

You can only have one crypto map applied to an interface (which I'm sure you've figured out by now). Here's a configuration guide that should help.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

Also here is an excellent VPN troubleshooting guide.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope that helps.

0 Helpful

usuario0001
Level 1
Level 1
In response to Collin Clark

‎05-28-2009 11:16 PM

And Can I have two VPN with the same crypto map? one for a site to site connection and the other one for a VPN with Cisco Client.

Thanks

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to usuario0001

‎05-29-2009 04:59 AM

You would have one dynamic crypto map that is applied to the interface, but the dynamic crypto map will use the two static crypto maps-the L2L and the client.

0 Helpful

usuario0001
Level 1
Level 1
In response to Collin Clark

‎06-04-2009 12:14 AM

So the configuration can be something like this?

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp key mykey address xxx.xxx.xxx.xxx

!

crypto isakmp client configuration group 3000client

key cisco123

pool ippool

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address 103

!

crypto map IPSEC_VPN client authentication list userauthen

crypto map IPSEC_VPN isakmp authorization list groupauthor

crypto map IPSEC_VPN client configuration address respond

crypto map IPSEC_VPN 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map IPSEC_VPN

Thanks and regards

0 Helpful
Customers Also Viewed These Support Documents