05-26-2009 07:18 AM - edited 02-21-2020 04:14 PM
Hi all,
I'd like to implement two IPsec VPN, one between two routers cisco 2811 and the other between one of the routers and a VPN Cisco Client.
My doubt is how to do it having like destination in both cases Fa0/0 from router 1.
I have this configuration in router 1,
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key mykey address xxx.xxx.xxx.xxx
!
crypto isakmp client configuration group 3000client
key cisco123
pool ippool
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map IPSEC_VPN 3 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
match address 103
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map clientmap
And I'd like to add 'crypto map IPSEC_VPN' to Fa0/0 but if I add this command the other crypto desappears.
Can anybody help me?
Thanks in advance
05-28-2009 05:40 AM
You can only have one crypto map applied to an interface (which I'm sure you've figured out by now). Here's a configuration guide that should help.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml
Also here is an excellent VPN troubleshooting guide.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Hope that helps.
05-28-2009 11:16 PM
And Can I have two VPN with the same crypto map? one for a site to site connection and the other one for a VPN with Cisco Client.
Thanks
05-29-2009 04:59 AM
You would have one dynamic crypto map that is applied to the interface, but the dynamic crypto map will use the two static crypto maps-the L2L and the client.
06-04-2009 12:14 AM
So the configuration can be something like this?
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key mykey address xxx.xxx.xxx.xxx
!
crypto isakmp client configuration group 3000client
key cisco123
pool ippool
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map IPSEC_VPN 3 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set ESP-3DES-SHA
match address 103
!
crypto map IPSEC_VPN client authentication list userauthen
crypto map IPSEC_VPN isakmp authorization list groupauthor
crypto map IPSEC_VPN client configuration address respond
crypto map IPSEC_VPN 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map IPSEC_VPN
Thanks and regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide