Multiple VPN tunnels from one int?

mikearama

Yep, that pretty much summed it up... but to elaborate:

I have an existing 1842 ISR that is our end of a permanent VPN tunnel to a vendor. I've now been asked to provide a second tunnel to another partner, and though I've never tried this before, I believe it should be possible... that is, using the same router and the same external (publicly IP'd) interface to handle multiple VPN tunnels. Right?

The existing int config is:

!
int f0/0/0
ip address 207.235.21.39 255.255.255.240
ip access-group 108 in
crypto map HRdeptMap
!

I can image how to adjust my ACL (10 to allow traffic from not just one endpoint but now two, and I know how to set up crypto maps and transform sets. My uncertainty is how the interface is built to allow two crypto maps.

From you techies that have done this... thoughts?

Thanks,
Mike

burbankmarc

Create a new everything as if it's the only tunnel, then instead of making a new crypto map just add another line to it:

crypto map mymap 1 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set myset
 match address vpn1
crypto map mymap 2 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set myset2
 match address vpn2