[c-nsp] Cisco IPSEC Configuration
Christopher J. Wargaski
wargo1 at gmail.com
Fri Dec 17 10:45:37 EST 2010
Shake--
You are only seeing sessions for MYCRYPTOMAP 10 to X.X.X.X because all
the traffic is matching on that ACL. You should be using a unique ACL for
each tunnel as such:
crypto map MYCRYPTOMAP 10 ipsec-isakmp
set peer X.X.X.X
set transform-set MYCRYPTO1
match address VPNTRAFF-10
crypto map MYCRYPTOMAP 20 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set MYCRYPTO2
match address VPNTRAFF-20
crypto map MYCRYPTOMAP 30 ipsec-isakmp
set peer Z.Z.Z.Z
set transform-set MYCRYPTO2
match address VPNTRAFF-30
cjw
On Fri, Dec 17, 2010 at 6:33 AM, Righa Shake <righa.shake at gmail.com> wrote:
> Chris,
>
> Below is my sample config
>
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp policy 2
> encr aes 256
> authentication pre-share
>
>
> crypto isakmp key Link1 address X.X.X.X
> crypto isakmp key link2 address Y.Y.Y.Y
> crypto isakmp key link3 address Z.Z.Z.Z
> !
> !
> crypto ipsec transform-set MYCRYPTO1 esp-3des esp-sha-hmac
> crypto ipsec transform-set MYCRYPTO2 esp-aes 256 esp-sha-hmac
> !
> crypto map MYCRYPTOMAP 10 ipsec-isakmp
> set peer X.X.X.X
> set transform-set MYCRYPTO1
> match address VPNTRAFF
> crypto map MYCRYPTOMAP 20 ipsec-isakmp
> set peer Y.Y.Y.Y
> set transform-set MYCRYPTO2
> match address VPNTRAFF
> crypto map MYCRYPTOMAP 30 ipsec-isakmp
> set peer Z.Z.Z.Z
> set transform-set MYCRYPTO2
> match address VPNTRAFF
>
>
>
>
> ip access-list extended VPNTRAFF
> permit ip 192.168.1.0 .0.0.255 10.10.10.0 0.0.0.255
> permit ip 192.168.1.0 0.0.0.255 10.10.11.0 0.0.0.255
>
> !
> !
> !
> interface FastEthernet0/1
> description LINK_TO_PROVIDER
> ip address 172.16.1.1 255.255.255.252
> ip virtual-reassembly
> crypto map MYCRYPTOMAP
>
>
>
> on running show crypto sa
>
> am only seeing the X.X.X.X. sessions
>
> the other sessions dont appear
>
> Regards,
> Shake Righa
>
>
>
>
>
More information about the cisco-nsp
mailing list