[c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
ar
ar_djp at yahoo.com
Wed Jul 11 01:15:57 EDT 2012
Yes. Basically I dont have any problems with routing.
I just encountered intermittency in my simulation.
So by design and theory, I want to confirm if Single profile, multiple dynamic phase2 will work.
So CPE router1 will transmit data to VPN Concentrator via IPSEC tunnel,
Then VPN concentrator will forward data to CPE router2 via the same IPSEC tunnel.
Same Phase1, different phase2.
I would like to confirm if different tunnels are required in order to forward traffic from one remote CE to another remote CE.
________________________________
From: Charlie Burns <cburns at frontiernetworks.ca>
To: Randy <randy_94108 at yahoo.com>; cisco-nsp <cisco-nsp at puck.nether.net>; ar <ar_djp at yahoo.com>
Sent: Wednesday, July 11, 2012 12:04 PM
Subject: RE: [c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
If your match acl permits the traffic you just need reverse route injection on the dynamic-map and redistribute static into MP-BGP.
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Randy
Sent: Tuesday, July 10, 2012 7:52 PM
To: cisco-nsp; ar
Subject: Re: [c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
why am I thinking same security traffic permit intra-interface
./Randy
--- On Tue, 7/10/12, ar <ar_djp at yahoo.com> wrote:
> From: ar <ar_djp at yahoo.com>
> Subject: [c-nsp] IPSEC Hub and Spoke - Single crypto profile, Multiple dynamic-map
> To: "cisco-nsp" <cisco-nsp at puck.nether.net>
> Date: Tuesday, July 10, 2012, 4:43 PM
>
>
> Hi.
>
> I am trying to setup a dynamic IPSEC remote access for
> MPLS VPNs.
>
> Setup is;
>
> - one 7200 as VPN concentrator
> - mulitple remote CPE connected via 3G Internet doing IPSEC
> with the concentrator
>
> Objective is:
> - Remote CPE LAN to another remote CPE LAN traffic
>
>
> My config is a single Phase 1, but mulitple Phase 2.
>
> Is it possible to have inter-site traffic via the hub using
> the same IPSEC tunnel?
> Or it has to be different tunnel per site?
>
>
>
>
>
> VPN Concentrator Config:
>
> crypto keyring custC-key vrf FVRF-C
> pre-shared-key address 0.0.0.0 0.0.0.0 key customerC
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
>
>
> crypto isakmp profile custC-profile
> vrf VRF-C
> keyring custC-key
> match identity address 0.0.0.0 FVRF-C
>
> crypto dynamic-map custC-map 10
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 104
>
> crypto dynamic-map custC-map 20
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 105
>
> crypto dynamic-map custC-map 30
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 106
>
> crypto dynamic-map custC-map 40
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 108
>
> crypto dynamic-map custC-map 50
> set transform-set IPSEC
> set isakmp-profile custC-profile
> match address 109
>
>
> Comments?
>
> thanks
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 10.0.1424 / Virus Database: 2437/5124 - Release Date: 07/10/12
More information about the cisco-nsp
mailing list