[c-nsp] Cisco IPSEC Configuration

Andriy Bilous andriy.bilous at gmail.com
Fri Dec 17 07:48:37 EST 2010


You need separate access-list for every peer. In your config all
traffic hitting VPNTRAFF will be matched in crypto map 10.

On Fri, Dec 17, 2010 at 1:33 PM, Righa Shake <righa.shake at gmail.com> wrote:
> Chris,
>
> Below is my sample config
>
> !
> !
> crypto isakmp policy 1
>  encr 3des
>  authentication pre-share
>  group 2
> !
> crypto isakmp policy 2
>  encr aes 256
>  authentication pre-share
>
>
> crypto isakmp key Link1 address X.X.X.X
> crypto isakmp key link2 address Y.Y.Y.Y
> crypto isakmp key link3 address Z.Z.Z.Z
> !
> !
> crypto ipsec transform-set MYCRYPTO1 esp-3des esp-sha-hmac
> crypto ipsec transform-set MYCRYPTO2 esp-aes 256 esp-sha-hmac
> !
> crypto map MYCRYPTOMAP 10 ipsec-isakmp
>  set peer X.X.X.X
>  set transform-set MYCRYPTO1
>  match address VPNTRAFF
> crypto map MYCRYPTOMAP 20 ipsec-isakmp
>  set peer Y.Y.Y.Y
>  set transform-set MYCRYPTO2
>  match address VPNTRAFF
> crypto map MYCRYPTOMAP 30 ipsec-isakmp
>  set peer Z.Z.Z.Z
>  set transform-set MYCRYPTO2
>  match address VPNTRAFF
>
>
>
>
> ip access-list extended VPNTRAFF
>  permit ip 192.168.1.0 .0.0.255 10.10.10.0 0.0.0.255
>  permit ip 192.168.1.0 0.0.0.255 10.10.11.0 0.0.0.255
>
> !
> !
> !
> interface FastEthernet0/1
>  description LINK_TO_PROVIDER
>  ip address 172.16.1.1 255.255.255.252
>  ip virtual-reassembly
>  crypto map MYCRYPTOMAP
>
>
>
> on running show crypto sa
>
> am only seeing the X.X.X.X. sessions
>
> the other sessions dont appear
>
> Regards,
> Shake Righa
>
>
>
> On Fri, Dec 17, 2010 at 3:55 AM, Christopher J. Wargaski
> <wargo1 at gmail.com>wrote:
>
>> Hello Shake--
>>
>>    There is no problem having several tunnels on the same interface,
>> however, they must be in the same crypto map. Here is an example:
>>
>> crypto map L2L-map 1 ipsec-isakmp
>>  description RMS test
>>  set peer 11.22.33.44
>>  set security-association lifetime seconds 86400
>>  set transform-set ESP-AES-256-MD5
>>  match address RMS
>> crypto map L2L-map 2 ipsec-isakmp
>>  description Chicago DC
>>  set peer 66.77.88.99
>>  set security-association lifetime seconds 86400
>>  set transform-set ESP-AES-256-MD5
>>  match address Chicago
>> crypto map L2L-map 3 ipsec-isakmp
>>  description Regina HQ
>>  set peer 66.44.55.22
>>  set security-association lifetime seconds 86400
>>  set transform-set ESP-AES-256-MD5
>>  match address Regina-HQ
>>
>>  ...
>> interface GigabitEthernet0/0
>>  description Internet - Outside
>>  ip address 33.44.55.66 255.255.255.0
>>  ip access-group autosec_firewall_acl in
>>  no ip redirects
>>  no ip unreachables
>>  no ip proxy-arp
>>  ip inspect autosec_inspect out
>>  ip policy route-map VPN-PBR-map
>>  duplex full
>>  speed 100
>>  no cdp enable
>>  no mop enabled
>>  crypto map L2L-map
>>
>>      Could you post a sanitized copy of your configuration?
>>
>> cjw
>>
>>
>> Date: Thu, 16 Dec 2010 13:55:00 +0300
>>> From: Righa Shake <righa.shake at gmail.com>
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Cisco IPSEC Configuration
>>> Message-ID:
>>>        <AANLkTi=_1awiokKo3ZKxg+dzMZBSE9_fungROsamS8f1 at mail.gmail.com<1awiokKo3ZKxg%2BdzMZBSE9_fungROsamS8f1 at mail.gmail.com>
>>> >
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>>
>>> Am having several  ipsec configurations on the same interface on a router
>>>
>>> however when i run the command
>>> show crypto session detail command am only seeing a single session and not
>>> the other session am trying to bring up.
>>>
>>> what could b the problem
>>>
>>>
>>> Rgrds,
>>> Shake
>>>
>>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



More information about the cisco-nsp mailing list