Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1472
Views
0
Helpful
9
Replies

Two site to site VPNs on the same Cisco router

CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1

‎11-22-2010 02:44 AM - edited ‎03-04-2019 10:32 AM

Hi,

We have two sites in our company (main and branch offices). Both sites have two ADSL connections to internet. Both sites have a Cisco 2911 router with two HWIC interfaces each. I would like to know if the following scenario is possible.

We would like to create two site to site VPNs that will connect our two sites. We want the first VPN to be used for RDP traffic (we would like RDP traffic to pass through first VPN). We want the second VPN to be used for file copying between the two sites (we would like file copying traffic to pass through the second VPN).

How can we achieve this goal?

Thanks in advanced.

Labels:
0 Helpful
9 Replies 9

Panos Bouras
Level 1
Level 1

‎11-22-2010 03:09 AM

You could use the policy based routing and protocol map for directing the rdp via "vpn1" and other traffic via "vpn2"

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful

CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Panos Bouras

‎11-22-2010 03:22 AM

Thanks for your reply,

In policy based routing we must define match and set clause.

What we must put on set clause?

Thanks again.

0 Helpful

royalblues
Level 10
Level 10
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎11-22-2010 04:54 AM

This could be a bit complex ... over the internet the VPN peers would be reachable via both the links, so you cannot guarantee which VPN uses which ADSL connection

What you could do is add a static entry on the routers for the other side VPN to egress out the required ADSL connection.

On the inside interface, do PBR and set the other side interface ip address based on your matching criteria. The router would do a reverse lookup and use the above static entry and associated ADSL connection to exit out

HTH

Narayan

0 Helpful

CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to royalblues

‎11-29-2010 04:33 AM

Hi, I am trying to create the two VPNs I was talking about in the beginning of the post.

The first VPN is created and is up. I have created the second VNP using Cisco Configuration Professional. When I am trying to test it through CP I get the following message:

The peer must be routed through the crypto map interface. The following peer(s) are routed through non-crypto mp interface: 1) "public IP address of the others side router".

What do I have to do? Is it possible to have two VPNs with the same source and destination network using different HWIC Interfaces (VPN0 must use the Dialer0 and VPN1 must use Dialer1)? The network ID of site0 is 192.168.1.0 and the network ID of site1 is 192.168.4.0.

Thanks

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎11-29-2010 04:40 AM

Hi CHARALAMPOS TRIANTAFYLLIDIS,




Its possible to have two VPNs from the same Source and destination address, However, note that Only the primary IPsec VPN will be active at a time, the Secondary connection wont be active UNLESS the primary link goes down.


Note:

Try to manually deactivate the first Ipsec tunnel and you will notice the backup Ipsec link comes back online.




HTH
Mohamed
0 Helpful

CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Mohamed Sobair

‎11-29-2010 05:25 AM

Hi Mohamed

You are saying that is not possible to have two active VPNs from a source network to a destination network through a cisco router.

Consequently, you are saying that is not possible to have RDP using the first VPN and File Copying using the second VPN?

Is that right?

Thanks.

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎11-29-2010 06:31 AM

Yes thats right,  you cant forward traffic using the secondary as long as the primary link is active. The Secondary IPsec tunnel would be a backup for the Primary one and traffic can be forwarded once the primary link fails.

Note:

We are talking about 2 IPsec tunnels using the same source to the same destination Networks.

HTH

Mohamed

0 Helpful

CHARALAMPOS TRIANTAFYLLIDIS
Level 1
Level 1
In response to Mohamed Sobair

‎11-29-2010 06:49 AM

Yes, we are talking about 2 IPsec tunnels using the same source to the same destination Networks.

Is there a workaround to achive this.

Thanks,

0 Helpful

Mohamed Sobair
Level 7
Level 7
In response to CHARALAMPOS TRIANTAFYLLIDIS

‎11-29-2010 07:05 AM

The Only workaround I can think of is to split your Inside Network, for example if you have a Network 192.168.1.0/24, try to have this network spilited to 192.168.1.0/25 and 192.168.1.128/25.

Then configure two IPsec tunnels , One is having a Source Network of 192.168.1.0/25 accessing a destination Network of whatever, and a Second one of a source Network of 192.168.1.128/25 accessing the same destination Network.

With the above, both IPsec tunnels will be active and forwarding at the same time.

Let me know if you have any other inquiries,

HTH

Mohamed

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card