Hub and Spoke IPSec VPN

nikalleyne · ‎09-12-2011

Guys,

When it comes to creating a site to site VPN on Cisco IOS, I have a clear understanding of that from a 1-1 perspective4. However, I now need to extend that site to site VPN to have now more like a hub and spoke, 1 to many.

So basically for a 1 to 1 site mapping I would do something like below. I would appreciate some suggestions on how to extend this or redesign it to suit. Thanks

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key nik address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set mySet ah-md5-hmac

!

crypto map myMap 5 ipsec-isakmp

set peer xx.0.0.2

set transform-set mySet

match address CW-VIC

interface FastEthernet0/0

ip address xx.0.0.2 255.255.255.x

duplex auto

speed auto

crypto map myMap

ip access-list extended VPN-TRAF

permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

nikalleyne · ‎09-13-2011

Guys,

I've figured this out.

For anyone else in the future having this issue

While you cannot add more than one crypto map to the interface, you can add numbers at the end of the map.

!

--- PEER 1

crypto map myMap 5 ipsec-isakmp

set peer X0.0.0.2

set transform-set mySet

match address 100

access-list 100 permit ip 172.30.0.0 0.0.255.255 172.17.10.0 0.0.0.255

--- PEER 2

crypto map myMap 20 ipsec-isakmp

set peer Y0.0.0.2

set transform-set mySet

match address 102

access-list 102 permit ip 172.30.0.0 0.0.255.255 172.16.10.0 0.0.0.255

Hope this helps someone in the future

Richard Burts · ‎09-13-2011

I am glad that you worked out a solution for your own problem. Sometimes these are the best lessons that we learn. Thank you for posting back to the forum that you had solved it and wat the solution was. +5 to you for this.

HTH

Rick

HTH

Rick