Multiple VPN tunnels from one int?
Yep, that pretty much summed it up... but to elaborate:
I have an existing 1842 ISR that is our end of a permanent VPN tunnel to a vendor. I've now been asked to provide a second tunnel to another partner, and though I've never tried this before, I believe it should be possible... that is, using the same router and the same external (publicly IP'd) interface to handle multiple VPN tunnels. Right?
The existing int config is:
!
int f0/0/0
ip address 207.235.21.39 255.255.255.240
ip access-group 108 in
crypto map HRdeptMap
!
I can image how to adjust my ACL (10
to allow traffic from not just one endpoint but now two, and I know how to set up crypto maps and transform sets. My uncertainty is how the interface is built to allow two crypto maps.
From you techies that have done this... thoughts?
Thanks,
Mike
I have an existing 1842 ISR that is our end of a permanent VPN tunnel to a vendor. I've now been asked to provide a second tunnel to another partner, and though I've never tried this before, I believe it should be possible... that is, using the same router and the same external (publicly IP'd) interface to handle multiple VPN tunnels. Right?
The existing int config is:
!
int f0/0/0
ip address 207.235.21.39 255.255.255.240
ip access-group 108 in
crypto map HRdeptMap
!
I can image how to adjust my ACL (10
to allow traffic from not just one endpoint but now two, and I know how to set up crypto maps and transform sets. My uncertainty is how the interface is built to allow two crypto maps.From you techies that have done this... thoughts?
Thanks,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
burbankmarc
Member Posts: 460
Create a new everything as if it's the only tunnel, then instead of making a new crypto map just add another line to it:crypto map mymap 1 ipsec-isakmp set peer 1.1.1.1 set transform-set myset match address vpn1 crypto map mymap 2 ipsec-isakmp set peer 2.2.2.2 set transform-set myset2 match address vpn2
-
PhildoBaggins
Member Posts: 276
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPN 10 match address DP_VPN_ESN
crypto map VPN 10 set peer 123.123.123.123
crypto map VPN 10 set transform-set 3des-sha1
crypto map VPN 10 set phase1-mode aggressive
crypto map VPN 20 match address DP_VPN
crypto map VPN 20 set peer 123.123.123.123
crypto map VPN 20 set transform-set 3des-sha1
crypto map VPN 30 match address DP_VPN_Hudson
crypto map VPN 30 set peer 123.123.123.123
crypto map VPN 30 set transform-set 3des-sha1
crypto map VPN 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map VPN interface outside -
millworx
Member Posts: 290
Yes it will work just fine. I currently have 800 tunnel interfaces hanging off one router all to different end points.
Just be sure you have a seperate tunnel interface for each endpoint, as well as a different crypto match and ACL, and you will be good.Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide