Cisco 2800 - Multiple VPNs Using Virtual-Template

Discussion in 'Cisco' started by AdrianT, Dec 7, 2006.

  1. AdrianT

    AdrianT Guest

    Hello List,

    I have a question related to the way of setting up multiple VPNs using
    virtual-template configuration (Cisco calls this Dynamic VPN): how can
    I make my configuration to be a "spoke" type VPN rather than "hub" type
    without using "crypto map" on the physical interface?
    Here is how it works now (the VPN hub config):

    !!! the VPN hub config
    !
    crypto keyring PSKs
    pre-shared-key address <peer_ip> key 6 ************
    !
    crypto isakmp profile ISAKMP_Profile
    keyring PSKs
    self-identity address
    match identity address <peer_ip> 255.255.255.255
    virtual-template 1
    !
    crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac
    !
    crypto ipsec profile IPSEC_Profile
    set transform-set Transform_Set
    set isakmp-profile ISAKMP_Profile
    !
    interface Loopback1007
    description This is a public IP address from a range routed via my
    gatey IP address (see bellow)
    ip address <my_VPN-hub_ip> 255.255.255.255
    no ip redirects
    !
    interface Multilink1
    description This is my gateway IP address facing the ISP
    ip address <my_public_IP> 255.255.255.252
    no ip redirects
    no ip unreachables
    ip nbar protocol-discovery
    ip nat outside
    ip virtual-reassembly
    rate-limit input access-group 102 8000 1500 2000 conform-action
    transmit exceed-action drop
    ip route-cache flow
    no cdp enable
    ppp multilink
    ppp multilink fragment delay 20
    ppp multilink interleave
    ppp multilink group 1
    ppp multilink multiclass
    service-policy output qos_pm-outbound
    !
    interface Serial0/0/0
    description 1st Serial Interface to ISP
    bandwidth 2048
    no ip address
    encapsulation ppp
    ip route-cache flow
    no fair-queue
    ppp multilink
    ppp multilink group 1
    !
    interface Serial0/0/1
    description 2nd Serial Interface to ISP
    bandwidth 2048
    no ip address
    encapsulation ppp
    ip route-cache flow
    no fair-queue
    ppp multilink
    ppp multilink group 1
    !
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback1007
    ip access-group vpn_acl-tunnel-encr-in in
    ip access-group vpn_acl-tunnel-encr-out out
    ip mtu 1400
    ip route-cache flow
    tunnel source Loopback1007
    tunnel mode ipsec ipv4
    tunnel sequence-datagrams
    tunnel checksum
    tunnel path-mtu-discovery
    tunnel protection ipsec profile IPSEC_Profile
    service-policy output qos_pm-VPN
    !
    ip access-list extended vpn_acl-tunnel-encr-in
    permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255
    !
    ip access-list extended vpn_acl-tunnel-encr-out
    permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255


    !!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,
    Cisco VPN concentrators)
    !!! all follow the standard crypto map config on the physical
    interface.
    !!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt

    It is obvious that with my router configured as a VPN hub, if the
    tunnel dies, I need to wait for the peer to reset the tunnel, all this
    time my clients in my network are not able to access the remote sites.
    The reason to use the virtual-template interfaces as suppose to
    traditional "crypto map" way, is that my peers do not want to share the
    same VPN end-point between themselves (different companies all
    together) and they are very strict in regards to ACLs. As I don't have
    a VPN device for each one of them and their number increases (I have 5
    separate tunnels right now with a potential grow to 15 in the next 3
    months), I need to find a way to get rid of the hub config in my end (I
    did not have much choice there when I migrated to this platform from a
    linux box).

    Pros for the Virtual-Template:
    - separate QoS for each tunnel
    - ACLs configured directly on the tunnel interface (grater flexibility)
    - tunnel end-point IP address can be part of a range BGP advertised via
    multiple ISP links

    Cons:
    - hub config, the tunnel needs to be reseted by the peer

    Any help is very much appreciated. Thank you,
    Adrian
     
    AdrianT, Dec 7, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matthew Melbourne
    Replies:
    0
    Views:
    757
    Matthew Melbourne
    Nov 11, 2003
  2. Shawn
    Replies:
    0
    Views:
    3,801
    Shawn
    May 14, 2004
  3. JustMe
    Replies:
    0
    Views:
    827
    JustMe
    May 24, 2004
  4. Gary
    Replies:
    1
    Views:
    2,618
  5. Replies:
    3
    Views:
    4,325
Loading...

Share This Page