<div>
Here it is. Also, can you tell me how on the branch side, if the VPN tunnel is down, how can I allow the connection to allow traffic out so that users can browse the Internet, etc.? 
 
!This is the running config of the router: 10.10.8.1 
!---------------------------------------------------------------------------- 
!version 12.4 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname CORP_VPN 
! 
boot-start-marker 
boot-end-marker 
! 
logging buffered 52000 debugging 
enable secret 5 xxxx 
enable password xxxxx 
! 
no aaa new-model 
clock timezone NewYork -5 
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00 
ip cef 
! 
! 
ip auth-proxy max-nodata-conns 3 
ip admission max-nodata-conns 3 
! 
! 
ip domain name ga.local 
ip name-server 12.x.16.x 
ip name-server 12.x.17.x 
! 
! 
! 
username xxxxxxx 
! 
! 
! 
! 
crypto isakmp policy 2 
encr 3des 
hash md5 
authentication pre-share 
group 5 
crypto isakmp key xxxxx address 173.x.x.237 no-xauth 
crypto isakmp key xxxxx address 173.x.x.125 no-xauth 
! 
! 
crypto ipsec transform-set MD5 esp-3des esp-md5-hmac 
! 
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to 173.x.x.125 
set peer 173.x.x.125 
set security-association lifetime seconds 28800 
set security-association idle-time 28800 
set transform-set MD5 
set pfs group5 
match address 100 
reverse-route 
crypto map SDM_CMAP_1 2 ipsec-isakmp 
description Tunnel to 173.x.x.237 
set peer 173.x.x.237 
set security-association lifetime seconds 28800 
set security-association idle-time 28800 
set transform-set MD5 
set pfs group5 
match address 101 
reverse-route 
! 
! 
! 
interface FastEthernet0/0 
ip address 12.x.x.34 255.255.255.248 
duplex auto 
speed auto 
crypto map SDM_CMAP_1 
! 
interface FastEthernet0/1 
ip address 10.10.8.1 255.255.0.0 
speed auto 
full-duplex 
no mop enabled 
! 
ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 12.x.x.33 
! 
ip http server 
no ip http secure-server 
! 
access-list 100 remark SDM_ACL Category=4 
access-list 100 permit ip 10.10.0.0 0.0.255.255 10.252.0.0 0.0.255.255 
access-list 101 remark SDM_ACL Category=4 
access-list 101 remark IPSec Rule 
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.253.0.0 0.0.255.255 
snmp-server community gasread RO 
! 
! 
control-plane 
! 
! 
line con 0 
line aux 0 
line vty 0 4 
password xxxxx 
login 
! 
scheduler allocate 20000 1000 
end 

</div>

<div>
I have it working. Thanks! 
 
Can you tell me how to nat the connection so that when/if the tunnel goes down, we can allow the office to still get to the Internet. I just a need a general idea of what to do, and I will get it working in my lab. 
 
You helped me with this problem with your original answer because not knowing VPN very well, I had the tunnel simply set up with &quot;peers&quot; of the two sites. So, with one tunnel I had both peers trying to connect through the same tunnel, doh! 
 
That obviously didn't work because I didn't understand the concept of peers, so when I created the second tunnel instead, I still had the peer setup in the config. As soon as you mentioned overlapping, I fixed it. The above config was posted here after I deleted the peer. Way to catch an easy rookie mistake JFrederick29!
</div>

<div>
That config looks okay, can you provide the branch configs? 
 
Based on your config, the branch Internet should be using the local ISP connection. &nbsp;The problem may lie with DNS if you are providing your branch PC's with internal DNS servers and the tunnel is down. &nbsp;Chances are though, if the tunnel is down, so is your Internet except for the rare occasion that the headend router is down. &nbsp;You would need to change your PC's DNS servers to your ISP's in a tunnel failure situation.
</div>

<div>
Excellent. &nbsp;Glad to help. &nbsp;I posted right after you did.
</div>

<div>
Thanks for the DNS tip. Couldn't I simply just add an external DNS server as a third entry locally on the branch machines? Anyhow, points forthcoming!
</div>

<div>
&gt;Couldn't I simply just add an external DNS server as a third entry locally on the branch machines? 
 
Logic would say yes but unfortunately no as Windows will move between DNS servers as they fail and stick with a particular DNS server in the client list. &nbsp;So, if you lose the tunnel and the client is now using the ISP DNS server, when the tunnel comes back up, they won't be able to resolve anything internally as the queries will be sent to the ISP DNS server still. &nbsp;Only until the ISP DNS server failed, would the client start using the internal DNS servers. &nbsp;Never tried this but you could add the ISP DNS server as a 3rd server but explicitly block outbound DNS to your ISP's DNS servers on the router and when the tunnel fails, remove the block and then when the tunnel is back up, block it again. &nbsp;That should work.
</div>

<div>
<div class="content wysiwyg-content">
Hello experts. 
 
Currently, I have two IPSEC site-to-site VPNs which have been setup via the SDM. On the main office router I have two crypto maps named SDM_CMAP_1 1 and SDM_CMAP_1 2. These two maps have identical information except the &quot;match ip address&quot; line which is 100 and 101. 
 
SDM_CMAP_1 1 = match ip address 100 
SDM_CMAP_1 2 = match ip address 101 
 
On the external interface I have &quot;crypto map SDM_CMAP_1&quot;. This doesn't have the sequence number associated with it. The tunnel under the SDM_CMAP_1 1 is up and running, but SDM_CMAP_1 2 is not. 
 
Depending on the crypto map &quot;SDM_CMAP_1 1&quot; being assigned to a specific crypto map, the tunnel with this assigned comes up, and the other goes down. So, how can I bring both tunnels up at the same time? 
 
Thanks for the help! 
 

</div>
</div>

Hello experts.

Currently, I have two IPSEC site-to-site VPNs which have been setup via the SDM. On the main office router I have two crypto maps named SDM_CMAP_1 1 and SDM_CMAP_1 2. These two maps have identical information except the "match ip address" line which is 100 and 101.

SDM_CMAP_1 1 = match ip address 100
SDM_CMAP_1 2 = match ip address 101

On the external interface I have "crypto map SDM_CMAP_1". This doesn't have the sequence number associated with it. The tunnel under the SDM_CMAP_1 1 is up and running, but SDM_CMAP_1 2 is not. 

Depending on the crypto map "SDM_CMAP_1 1" being assigned to a specific crypto map, the tunnel with this assigned comes up, and the other goes down. So, how can I bring both tunnels up at the same time? 

Thanks for the help!



Crypto Map Sequence Number / Peers

A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or travelling users access to a central organizational network securely. VPNs encapsulate data transfers using secure cryptographic methods and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.