[c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map

Randy randy_94108 at yahoo.com
Tue Jul 10 19:52:29 EDT 2012


why am I thinking same security traffic permit intra-interface
./Randy

--- On Tue, 7/10/12, ar <ar_djp at yahoo.com> wrote:

> From: ar <ar_djp at yahoo.com>
> Subject: [c-nsp] IPSEC Hub and Spoke -  Single crypto profile, Multiple dynamic-map
> To: "cisco-nsp" <cisco-nsp at puck.nether.net>
> Date: Tuesday, July 10, 2012, 4:43 PM
> 
> 
> Hi.
>  
> I am trying to setup a dynamic IPSEC  remote access for
> MPLS VPNs.
>  
> Setup is;
>  
> - one 7200 as VPN concentrator
> - mulitple remote CPE connected via 3G Internet doing IPSEC
> with the concentrator
>  
> Objective is:
> - Remote CPE LAN to another remote CPE LAN traffic 
> 
>  
> My config is a single Phase 1, but mulitple Phase 2.
>  
> Is it possible to have inter-site traffic via the hub using
> the same IPSEC tunnel?
> Or it has to be different tunnel per site?
> 
> 
>  
>  
>  
> VPN Concentrator Config:
>  
> crypto keyring custC-key vrf FVRF-C
>   pre-shared-key address 0.0.0.0 0.0.0.0 key customerC
>  
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>  
>  
> crypto isakmp profile custC-profile
>    vrf VRF-C
>    keyring custC-key
>    match identity address 0.0.0.0 FVRF-C
>  
> crypto dynamic-map custC-map 10
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 104
> 
> crypto dynamic-map custC-map 20
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 105
> 
> crypto dynamic-map custC-map 30
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 106
> 
> crypto dynamic-map custC-map 40
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 108
> 
> crypto dynamic-map custC-map 50
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 109
>  
>  
>  Comments?
>  
> thanks
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 



More information about the cisco-nsp mailing list