[c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
Randy
randy_94108 at yahoo.com
Tue Jul 10 19:52:29 EDT 2012
why am I thinking same security traffic permit intra-interface
./Randy
--- On Tue, 7/10/12, ar <ar_djp at yahoo.com> wrote:
> From: ar <ar_djp at yahoo.com>
> Subject: [c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
> To: "cisco-nsp" <cisco-nsp at puck.nether.net>
> Date: Tuesday, July 10, 2012, 4:43 PM
>
>
> Hi.
>
> I am trying to setup a dynamic IPSEC remote access for
> MPLS VPNs.
>
> Setup is;
>
> - one 7200 as VPN concentrator
> - mulitple remote CPE connected via 3G Internet doing IPSEC
> with the concentrator
>
> Objective is:
> - Remote CPE LAN to another remote CPE LAN traffic
>
>
> My config is a single Phase 1, but mulitple Phase 2.
>
> Is it possible to have inter-site traffic via the hub using
> the same IPSEC tunnel?
> Or it has to be different tunnel per site?
>
>
>
>
>
> VPN Concentrator Config:
>
> crypto keyring custC-key vrf FVRF-C
> pre-shared-key address 0.0.0.0 0.0.0.0 key customerC
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>
>
> crypto isakmp profile custC-profile
> vrf VRF-C
> keyring custC-key
> match identity address 0.0.0.0 FVRF-C
>
> crypto dynamic-map custC-map 10
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 104
>
> crypto dynamic-map custC-map 20
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 105
>
> crypto dynamic-map custC-map 30
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 106
>
> crypto dynamic-map custC-map 40
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 108
>
> crypto dynamic-map custC-map 50
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 109
>
>
> Comments?
>
> thanks
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list