Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k

Two site to site VPNs on the same Cisco router

Hi,

We have two sites in our company (main and branch offices). Both sites have two ADSL connections to internet. Both sites have a Cisco 2911 router with two HWIC interfaces each. I would like to know if the following scenario is possible.

We would like to create two site to site VPNs that will connect our two sites. We want the first VPN to be used for RDP traffic (we would like RDP traffic to pass through first VPN). We want the second VPN to be used for file copying between the two sites (we would like file copying traffic to pass through the second VPN).

How can we achieve this goal?

Thanks in advanced.

9 REPLIES
New Member

Re: Two site to site VPNs on the same Cisco router

You could use the policy based routing and protocol map for directing the rdp via "vpn1" and other traffic via "vpn2"

Re: Two site to site VPNs on the same Cisco router

Thanks for your reply,

In policy based routing we must define match and set clause.

What we must put on set clause?

Thanks again.

Re: Two site to site VPNs on the same Cisco router

This could be a bit complex ... over the internet the VPN peers would be reachable via both the links, so you cannot guarantee which VPN uses which ADSL connection

What you could do is add a static entry on the routers for the other side VPN to egress out the required ADSL connection.

On the inside interface, do PBR and set the other side interface ip address based on your matching criteria. The router would do a reverse lookup and use the above static entry and associated ADSL connection to exit out

HTH

Narayan

Re: Two site to site VPNs on the same Cisco router

Hi, I am trying to create the two VPNs I was talking about in the beginning of the post.

The first VPN is created and is up. I have created the second VNP using Cisco Configuration Professional. When I am trying to test it through CP I get the following message:

The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto mp interface: 1) "public IP address of the others side router".

What do I have to do? Is it possible to have two VPNs with the same source and destination network using different HWIC Interfaces (VPN0 must use the Dialer0 and VPN1 must use Dialer1)? The network ID of site0 is 192.168.1.0 and the network ID of site1 is 192.168.4.0.

Thanks

Re: Two site to site VPNs on the same Cisco router





Its possible to have two VPNs from the same Source and destination address, However, note that Only the primary IPsec VPN will be active at a time, the Secondary connection wont be active UNLESS the primary link goes down.


Note:

Try to manually deactivate the first Ipsec tunnel and you will notice the backup Ipsec link comes back online.




HTH
Mohamed

Re: Two site to site VPNs on the same Cisco router

Hi Mohamed

You are saying that is not possible to have two active VPNs from a source network to a destination network through a cisco router.

Consequently, you are saying that is not possible to have RDP using the first VPN and File Copying using the second VPN?

Is that right?

Thanks.

Re: Two site to site VPNs on the same Cisco router

Yes thats right,  you cant forward traffic using the secondary as long as the primary link is active. The Secondary IPsec tunnel would be a backup for the Primary one and traffic can be forwarded once the primary link fails.

Note:

We are talking about 2 IPsec tunnels using the same source to the same destination Networks.

HTH

Mohamed

Re: Two site to site VPNs on the same Cisco router

Yes, we are talking about 2 IPsec tunnels using the same source to the same destination Networks.

Is there a workaround to achive this.

Thanks,

Re: Two site to site VPNs on the same Cisco router

The Only workaround I can think of is to split your Inside Network, for example if you have a Network 192.168.1.0/24, try to have this network spilited to 192.168.1.0/25 and 192.168.1.128/25.

Then configure two IPsec tunnels , One is having a Source Network of 192.168.1.0/25 accessing a destination Network of whatever, and a Second one of a source Network of 192.168.1.128/25 accessing the same destination Network.

With the above, both IPsec tunnels will be active and forwarding at the same time.

Let me know if you have any other inquiries,

HTH

Mohamed

984
Views
0
Helpful
9
Replies
CreatePlease to create content