[c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
Charlie Burns
cburns at frontiernetworks.ca
Tue Jul 10 22:04:16 EDT 2012
If your match acl permits the traffic you just need reverse route injection on the dynamic-map and redistribute static into MP-BGP.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy
Sent: Tuesday, July 10, 2012 7:52 PM
To: cisco-nsp; ar
Subject: Re: [c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
why am I thinking same security traffic permit intra-interface
./Randy
--- On Tue, 7/10/12, ar <ar_djp at yahoo.com> wrote:
> From: ar <ar_djp at yahoo.com>
> Subject: [c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
> To: "cisco-nsp" <cisco-nsp at puck.nether.net>
> Date: Tuesday, July 10, 2012, 4:43 PM
>
>
> Hi.
>
> I am trying to setup a dynamic IPSEC remote access for
> MPLS VPNs.
>
> Setup is;
>
> - one 7200 as VPN concentrator
> - mulitple remote CPE connected via 3G Internet doing IPSEC
> with the concentrator
>
> Objective is:
> - Remote CPE LAN to another remote CPE LAN traffic
>
>
> My config is a single Phase 1, but mulitple Phase 2.
>
> Is it possible to have inter-site traffic via the hub using
> the same IPSEC tunnel?
> Or it has to be different tunnel per site?
>
>
>
>
>
> VPN Concentrator Config:
>
> crypto keyring custC-key vrf FVRF-C
> pre-shared-key address 0.0.0.0 0.0.0.0 key customerC
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>
>
> crypto isakmp profile custC-profile
> vrf VRF-C
> keyring custC-key
> match identity address 0.0.0.0 FVRF-C
>
> crypto dynamic-map custC-map 10
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 104
>
> crypto dynamic-map custC-map 20
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 105
>
> crypto dynamic-map custC-map 30
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 106
>
> crypto dynamic-map custC-map 40
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 108
>
> crypto dynamic-map custC-map 50
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 109
>
>
> Comments?
>
> thanks
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1424 / Virus Database: 2437/5124 - Release Date: 07/10/12
More information about the cisco-nsp
mailing list