Connect Cisco 1760 to multiple sites VIA IPSEC

sean-keys
sean-keys used Ask the Experts™
on
Hi I have three sites A and B which are connected via an IPSec VPN.  What I want to do is connect site A to site C too.  I tried creating another transform but it doesn't seem that I can apply more than one transform to the external interface.  Can I set multiple peers and ACLs in one map?  How else can I do this?


crypto map aesmap 10 ipsec-isakmp 
 set peer site-B-ip-address
 set security-association lifetime seconds 86400
 set transform-set aesset 
 set pfs group5
 match address 103

interface BVI1
 ip address xxxxxx
 ip nat outside
 ip virtual-reassembly
 crypto map aesmap

!

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Architect
Commented:
You need to use a sequential crypto map.  The "10" in the crypto map statement is an order identifier.  You can add additional sets of statements under the same name with different numbers, typically 20, 30, etc.  You can use the same transform set or a different one.
Ernie BeekSenior infrastructure engineer
Top Expert 2012
Commented:
Correct, add something like:

crypto map aesmap 20 ipsec-isakmp
 set peer site-C-ip-address
 set security-association lifetime seconds 86400
 set transform-set aesset
 set pfs group5
 match address 104

Where list 104 matches the traffic to the C-site.
Also don't forget to exempt that traffic from nat.

Author

Commented:
I'll give that a shot, thx guy. BBL
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Ernie BeekSenior infrastructure engineer
Top Expert 2012

Commented:
Let us know how far you get (but offcourse you will ;).

Author

Commented:
I think I have everything correct, but I cant seem to ping from Site A to C or C to A.  I'm using the ping command from workstations behind the routers as I know if you ping from with in the router it wont generate traffic that matches the transform ACL.

Did I miss something simple, or am I fully retarded?


Site A
Building configuration...

Current configuration : 3060 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TXCONLAB-RTR0
!
boot-start-marker
boot-end-marker
!
enable secret 
enable password 
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
regexp optimize
ip cef    
!         
!         
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.15.1 10.10.15.50
!         
ip dhcp pool vlan50
   network 10.10.15.0 255.255.255.0
   bootfile OS79XX.TXT
   default-router 10.10.15.1 
   dns-server 8.8.8.8 
   domain-name 
   option 150 ip 10.10.15.10 
!         
ip dhcp pool exclude-address
!         
!         
no ip domain lookup
ip domain name 
vpdn enable
!         
!         
!         
!         
!         
username root privilege 15 password 7 
!         
!         
!         
!         
crypto isakmp policy 10
 encr 3des
 hash md5 
 authentication pre-share
 group 5  
!         
crypto isakmp policy 20
 encr 3des
 hash md5 
 authentication pre-share
 group 5  
crypto isakmp key sharedKey address Site B
crypto isakmp key sharedKey address Site C
crypto isakmp keepalive 1024
!         
!         
crypto ipsec transform-set aesset esp-3des esp-sha-hmac 
!         
crypto map aesmap 10 ipsec-isakmp 
 set peer Site B
 set security-association lifetime seconds 86400
 set transform-set aesset 
 set pfs group5
 match address 103
crypto map aesmap 20 ipsec-isakmp 
 set peer Site C
 set security-association lifetime seconds 86400
 set transform-set aesset 
 set pfs group5
 match address 104
!         
bridge irb
!         
!         
interface ATM0/0
 no ip address
 no ip mroute-cache
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto 
!         
interface ATM0/0.1 point-to-point
 bridge-group 1
 pvc 0/35 
  encapsulation aal5snap
 !        
!         
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
!         
interface FastEthernet0/0.20
!         
interface FastEthernet0/0.50
 encapsulation dot1Q 50 native
 ip address 10.10.15.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!         
interface FastEthernet0/0.150
 encapsulation dot1Q 150
 ip address 172.16.15.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!         
interface Dialer0
 no ip address
!         
interface BVI1
 ip address public IP
 ip nat outside
 ip virtual-reassembly
 crypto map aesmap
!         
ip default-gateway public IP
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 public IP
!         
no ip http server
no ip http secure-server
ip nat inside source list acl_nat interface BVI1 overload
!         
ip access-list extended acl_nat
 permit ip 172.16.15.0 0.0.0.255 any
 deny   ip 10.10.15.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 10.10.15.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip 10.10.15.0 0.0.0.255 any
!         
access-list 103 permit ip 10.10.15.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 104 permit ip 10.10.15.0 0.0.0.255 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
!         
control-plane
!         
bridge 1 protocol ieee
bridge 1 route ip
!         
line con 0
line aux 0
line vty 0 4
 password 7 
!         
end  

Site C
Building configuration...

Current configuration : 2497 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TXCON02-rtr0
!
boot-start-marker
boot-end-marker
!
enable secret 5 
enable password 7 
!
aaa new-model
!
!
aaa authentication ppp default local
!
aaa session-id common
regexp optimize
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.50
!
ip dhcp pool vlan50
   network 10.10.10.0 255.255.255.0
   bootfile OS79XX.TXT
   default-router 10.10.10.1 
   dns-server 8.8.8.8 
   domain-name router.domain.com
   option 150 ip 10.10.10.10 
!         
!         
no ip domain lookup
ip domain name router.domain.com
vpdn enable
!         
!         
!         
!         
!         
username root privilege 15 password 7 
!         
!         
!         
!         
crypto isakmp policy 10
 encr 3des
 hash md5 
 authentication pre-share
 group 5  
crypto isakmp key sharedKey address SiteA
crypto isakmp keepalive 1024
!         
!         
crypto ipsec transform-set aesset esp-3des esp-sha-hmac 
!         
crypto map aesmap 10 ipsec-isakmp 
 set peer Site A
 set security-association lifetime seconds 86400
 set transform-set aesset 
 set pfs group5
 match address 103
!         
bridge irb
!         
!         
interface Ethernet0/0
 ip address public IP
 ip nat outside
 ip virtual-reassembly
 full-duplex
 crypto map aesmap
!         
interface FastEthernet0/0
 no ip address
 speed 100
 full-duplex
!         
interface FastEthernet0/0.20
!         
interface FastEthernet0/0.50
 encapsulation dot1Q 50 native
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!         
interface FastEthernet0/0.150
 encapsulation dot1Q 150
 ip address 172.16.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!         
interface Dialer0
 no ip address
 shutdown 
!         
interface BVI1
 ip address dhcp
 ip virtual-reassembly
 shutdown 
!         
ip default-gateway public IP
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 public IP
!         
no ip http server
no ip http secure-server
ip nat inside source list acl_nat interface Ethernet0/0 overload
!         
ip access-list extended acl_nat
 permit ip 172.16.10.0 0.0.0.255 any
 deny   ip 10.10.10.0 0.0.0.255 10.10.15.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 any
!         
access-list 103 permit ip 10.10.10.0 0.0.0.255 10.10.15.0 0.0.0.255
dialer-list 1 protocol ip permit
!         
control-plane
!         
bridge 1 protocol ieee
bridge 1 route ip
!         
line con 0
line aux 0
line vty 0 4
 password 7 
!         
end

Open in new window

It looks like you're missing the second half of your crypto map. The first part with entry point 10 should be the one that goes to Site B. So you need to verify that your "set peer" is indeed to Site B. You then need a crypto map for site C.


crypto map aesmap 20 ipsec-isakmp
set peer Site C
set security-association lifetime seconds 86400
set transform-set aesset
set pfs group 5
match address 104

Open in new window

Author

Commented:
thx guys, not sure why it took so long to start working...

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial