Options
Multi-peer ipsec tunnel in gns3
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
Just having some fun experimenting with vpn tunnels. Not exactly sure where I'm going with this... Multiple ipsec vpn tunnels/crypto maps on a single interface | The Lost Packets
Comments
-
Options
Cingular
Member Posts: 81 ■■■□□□□□□□
Brilliant! Awesome blog too mate. Favourited.
cissp, pcnse, ccnp, ccnp security, nse4
---"It's too bad she won't live. But then again, who does?" - Gaff
-
Options
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
I'm not sure what makes this multipoint other than the multiple peers in the crypto map. What happens if you attempt to ping between the loopback interfaces on the 3 remote routers and the hub router loopback at the same time? or the other way around?The only easy day was yesterday! -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
I'm not sure what makes this multipoint other than the multiple peers in the crypto map. What happens if you attempt to ping between the loopback interfaces on the 3 remote routers and the hub router loopback at the same time? or the other way around?
Multi-point = one-to-many = one router has multiple peers. I wasnt referring to dmvpn. Traffic between each of the remote offices is not permitted.
I think multi-peer makes more sense so I changed it. -
Options
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
I was actually wondering this as well. Thanks for the clarification.Multi-point = one-to-many = one router has multiple peers. I wasnt referring to dmvpn. Traffic between each of the remote offices is not permitted.I think multi-peer makes more sense so I changed it. -
Optionsdtlokee
Member Posts: 2,378 ■■■■□□□□□□
So if you only ping from the central site to the remote locations without initiating the tunnel from the central site does it work as expected? The setup you have is a failover configuration and normally you would have seperate entries in your crypto map for each remote peer that has a distinct subnet.The only easy day was yesterday!
-
Options
ram1101
Member Posts: 32 ■■□□□□□□□□
i would rather have a crypto map peer site, i dont think a crypto map works that way it would use the other peers as back up by my experiance.
plus you can specify the traffic that you want to allow on the ACL or traffic selector peer crypto map.
unless i dont undertand what you are trying to do. -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
So if you only ping from the central site to the remote locations without initiating the tunnel from the central site does it work as expected? The setup you have is a failover configuration and normally you would have seperate entries in your crypto map for each remote peer that has a distinct subnet.
You're overthinking it. West router has 3 peers. North, Central, and South only has one peer, West.
This was more so for the ccna:s exam and seeing how sdm interpreted my configs, not for production implementation. -
Optionsdtlokee
Member Posts: 2,378 ■■■■□□□□□□
I'm not overthinking anything, your config will only work when the interesting traffic is sent from the remote site first that was what I was attempting to point out. The use of multiple peers in the same crypto map entry is for failover when the remote peer is in the same site and has the same interesting traffic (in the case of multiple VPN head ends at the other site). In your case you have 3 peers on the same entry so the central site router will not be able to initiate an outbound connection from the central site to any other site than the first peer listed. The remote sites can initiate an inbound connection to the central site successfully because the access list for the interesting traffic only contains the subnet for that site. Once the ipsec sa is created then 2 way traffic will be successful because of the local and remote subnets in the ipsec session.
I was only attempting to help you get a deeper understanding of the implications of the configuration you have developed.The only easy day was yesterday! -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
I'm not overthinking anything, your config will only work when the interesting traffic is sent from the remote site first that was what I was attempting to point out. The use of multiple peers in the same crypto map entry is for failover when the remote peer is in the same site and has the same interesting traffic (in the case of multiple VPN head ends at the other site). In your case you have 3 peers on the same entry so the central site router will not be able to initiate an outbound connection from the central site to any other site than the first peer listed. The remote sites can initiate an inbound connection to the central site successfully because the access list for the interesting traffic only contains the subnet for that site. Once the ipsec sa is created then 2 way traffic will be successful because of the local and remote subnets in the ipsec session.
I was only attempting to help you get a deeper understanding of the implications of the configuration you have developed.
I think I understand what youre trying to say now. Do I need 3 different crypto maps on West f0/0? Can you apply multiple maps to a single interface or do I need to break it out to 3 sub interfaces? -
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
I think I found my answer:Crypto map entries with the same crypto map name, but different map sequence numbers, are grouped into a crypto map set.
You can apply only one crypto map set to a single interface. If you create more than one crypto map entry for a given interface , use the sequence number of each map entry to rank the map entries.
From ccna:s book. -
Optionsdtlokee
Member Posts: 2,378 ■■■■□□□□□□
You make multiple crypto map entries in the same crypto map and you can keep the same transform set just change the acl and the peer:
!
Create new ACLs for each site
ip access-list extended WEST_NORTH_ACL
permit ip host 22.22.22.22 host 33.33.33.33
ip access-list extended WEST_CENTRAL_ACL
permit ip host 22.22.22.22 host 44.44.44.44
ip access-list extended WEST_SOUTH_ACL
permit ip host 22.22.22.22 host 55.55.55.55
crypto map WEST_TO_ALL_MAP 1 ipsec-isakmp !-- Entry 1 in the crypto map
Description VPN to NORTH
set peer 10.100.0.2
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_NORTH_ACL
crypto map WEST_TO_ALL_MAP 2 ipsec-isakmp !-- Entry 2 in the crypto map
Description VPN to CENTRAL
set peer 10.100.0.6
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_CENTRAL_ACL
crypto map WEST_TO_ALL_MAP 3 ipsec-isakmp !-- Entry 3 in the crypto map
Description VPN to SOUTH
set peer 10.100.0.10
set transform-set WEST_TO_ALL_SET
set pfs group2
match address WEST_SOUTH_ACL
You can increment the line numbers in the crypto map by 1 like this or by some other increment (I see 10 used alot) incase you want to insert an entry in the list.The only easy day was yesterday! -
Options
SteveO86
Member Posts: 1,423
Yep that's your answer just change the sequence number in the crypto map.
crypto map WEST_TO_ALL_MAP 1 ipsec-isakmp
<Crypto Map stuff here>
You will also want to have a specific ACL for each crypto map sequence. So break up your existing ACL to 3 separate ACL's and assign each ACL to it's own crypto map entry.
That will allow 3 different VPN tunnels from the 1 site to all the 3 remotes which any conflictions.My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS
