• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 760
  • Last Modified:

Multiple crypto maps on WAN interface

We have ipsec tunnels set for a vendor and the crypto map is set on the WAN interface. We want to have another tunnel to different vendor, is there a way to set multiple IPSEC tunnel on one interface?

Thanks;
0
totaram
Asked:
totaram
  • 4
  • 2
1 Solution
 
uescompCommented:
Yes you can have multiple VPN tunnels on one interface, but  you can only use one crypto map.  You get around this by using multiple statements, one for each tunnel.  So the first tunnel would be:

crypto map MAP_NAME 1 ipsec-isakmp

and the second one would be

cyrpto map MAP_NAME 2 ipsec-isakmp

0
 
totaramAuthor Commented:
Can one use different transform set within each tunnel? Also, please let me know if where exactly the isakmp policy is used? I have the following policy defined:

Protection suite of priority 10
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               28800 seconds, no volume limit

but where does it take an affect???? I define the crypto map with interface, but crypto map does not have any mention of the policy.
0
 
uescompCommented:
http://www.routergeek.net/content/view/50/37/

This is the guide that I used to set up my tunnels.  We have three site to site tunnels in a hub a spoke configuration.  The note at the bottom of the article explains how to modify the config for multiple tunnels on the same interface.  Basically your are creating two crypto maps with the same name but different priorities.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
totaramAuthor Commented:
I understand the guide, my issue is what do I need to do if I need to change step 1 too ? ( I see that note ask us repeat 2-7). Should I just keep going on as usual (two crypto maps with same name, but different priorities)?
0
 
kuohCommented:
I'm not sure why that guide ties policy number 9 to pre-shared key usage.  You can repeat step 1 and use the parameters you need, just with a different policy number.  Negotiation starts with the lowest policy number until a match is found.  The following should work for what you specified.

crypto isakmp policy 10
encryption 3des
hash sha
group 2
lifetime 28800
authentication pre-share


0
 
totaramAuthor Commented:
OK.. I added a new crypto map entry with different (lesser) priority to the same map. Is it automatic that the new policy will kick or do I need to take off the cypto map association to the gi interface (WAN link) and add it back? I did not want to disturb the existing ipsec tunnels with other customer.
0
 
totaramAuthor Commented:
Never mind, the issue has been sorted.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now