[c-nsp] Cisco IPSEC Configuration
Andriy Bilous
andriy.bilous at gmail.com
Fri Dec 17 07:48:37 EST 2010
You need separate access-list for every peer. In your config all
traffic hitting VPNTRAFF will be matched in crypto map 10.
On Fri, Dec 17, 2010 at 1:33 PM, Righa Shake <righa.shake at gmail.com> wrote:
> Chris,
>
> Below is my sample config
>
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp policy 2
> encr aes 256
> authentication pre-share
>
>
> crypto isakmp key Link1 address X.X.X.X
> crypto isakmp key link2 address Y.Y.Y.Y
> crypto isakmp key link3 address Z.Z.Z.Z
> !
> !
> crypto ipsec transform-set MYCRYPTO1 esp-3des esp-sha-hmac
> crypto ipsec transform-set MYCRYPTO2 esp-aes 256 esp-sha-hmac
> !
> crypto map MYCRYPTOMAP 10 ipsec-isakmp
> set peer X.X.X.X
> set transform-set MYCRYPTO1
> match address VPNTRAFF
> crypto map MYCRYPTOMAP 20 ipsec-isakmp
> set peer Y.Y.Y.Y
> set transform-set MYCRYPTO2
> match address VPNTRAFF
> crypto map MYCRYPTOMAP 30 ipsec-isakmp
> set peer Z.Z.Z.Z
> set transform-set MYCRYPTO2
> match address VPNTRAFF
>
>
>
>
> ip access-list extended VPNTRAFF
> permit ip 192.168.1.0 .0.0.255 10.10.10.0 0.0.0.255
> permit ip 192.168.1.0 0.0.0.255 10.10.11.0 0.0.0.255
>
> !
> !
> !
> interface FastEthernet0/1
> description LINK_TO_PROVIDER
> ip address 172.16.1.1 255.255.255.252
> ip virtual-reassembly
> crypto map MYCRYPTOMAP
>
>
>
> on running show crypto sa
>
> am only seeing the X.X.X.X. sessions
>
> the other sessions dont appear
>
> Regards,
> Shake Righa
>
>
>
> On Fri, Dec 17, 2010 at 3:55 AM, Christopher J. Wargaski
> <wargo1 at gmail.com>wrote:
>
>> Hello Shake--
>>
>> There is no problem having several tunnels on the same interface,
>> however, they must be in the same crypto map. Here is an example:
>>
>> crypto map L2L-map 1 ipsec-isakmp
>> description RMS test
>> set peer 11.22.33.44
>> set security-association lifetime seconds 86400
>> set transform-set ESP-AES-256-MD5
>> match address RMS
>> crypto map L2L-map 2 ipsec-isakmp
>> description Chicago DC
>> set peer 66.77.88.99
>> set security-association lifetime seconds 86400
>> set transform-set ESP-AES-256-MD5
>> match address Chicago
>> crypto map L2L-map 3 ipsec-isakmp
>> description Regina HQ
>> set peer 66.44.55.22
>> set security-association lifetime seconds 86400
>> set transform-set ESP-AES-256-MD5
>> match address Regina-HQ
>>
>> ...
>> interface GigabitEthernet0/0
>> description Internet - Outside
>> ip address 33.44.55.66 255.255.255.0
>> ip access-group autosec_firewall_acl in
>> no ip redirects
>> no ip unreachables
>> no ip proxy-arp
>> ip inspect autosec_inspect out
>> ip policy route-map VPN-PBR-map
>> duplex full
>> speed 100
>> no cdp enable
>> no mop enabled
>> crypto map L2L-map
>>
>> Could you post a sanitized copy of your configuration?
>>
>> cjw
>>
>>
>> Date: Thu, 16 Dec 2010 13:55:00 +0300
>>> From: Righa Shake <righa.shake at gmail.com>
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Cisco IPSEC Configuration
>>> Message-ID:
>>> <AANLkTi=_1awiokKo3ZKxg+dzMZBSE9_fungROsamS8f1 at mail.gmail.com<1awiokKo3ZKxg%2BdzMZBSE9_fungROsamS8f1 at mail.gmail.com>
>>> >
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>>
>>> Am having several ipsec configurations on the same interface on a router
>>>
>>> however when i run the command
>>> show crypto session detail command am only seeing a single session and not
>>> the other session am trying to bring up.
>>>
>>> what could b the problem
>>>
>>>
>>> Rgrds,
>>> Shake
>>>
>>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list