Hello List,
I have a question related to the way of setting up multiple VPNs using virtual-template configuration (Cisco calls this Dynamic VPN): how can I make my configuration to be a "spoke" type VPN rather than "hub" type without using "crypto map" on the physical interface? Here is how it works now (the VPN hub config):
!!! the VPN hub config ! crypto keyring PSKs pre-shared-key address key 6 ************ ! crypto isakmp profile ISAKMP_Profile keyring PSKs self-identity address match identity address 255.255.255.255 virtual-template 1 ! crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac ! crypto ipsec profile IPSEC_Profile set transform-set Transform_Set set isakmp-profile ISAKMP_Profile ! interface Loopback1007 description This is a public IP address from a range routed via my gatey IP address (see bellow) ip address 255.255.255.255 no ip redirects ! interface Multilink1 description This is my gateway IP address facing the ISP ip address 255.255.255.252 no ip redirects no ip unreachables ip nbar protocol-discovery ip nat outside ip virtual-reassembly rate-limit input access-group 102 8000 1500 2000 conform-action transmit exceed-action drop ip route-cache flow no cdp enable ppp multilink ppp multilink fragment delay 20 ppp multilink interleave ppp multilink group 1 ppp multilink multiclass service-policy output qos_pm-outbound ! interface Serial0/0/0 description 1st Serial Interface to ISP bandwidth 2048 no ip address encapsulation ppp ip route-cache flow no fair-queue ppp multilink ppp multilink group 1 ! interface Serial0/0/1 description 2nd Serial Interface to ISP bandwidth 2048 no ip address encapsulation ppp ip route-cache flow no fair-queue ppp multilink ppp multilink group 1 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1007 ip access-group vpn_acl-tunnel-encr-in in ip access-group vpn_acl-tunnel-encr-out out ip mtu 1400 ip route-cache flow tunnel source Loopback1007 tunnel mode ipsec ipv4 tunnel sequence-datagrams tunnel checksum tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_Profile service-policy output qos_pm-VPN ! ip access-list extended vpn_acl-tunnel-encr-in permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ip access-list extended vpn_acl-tunnel-encr-out permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255
!!! the Spoke VPN is configured by my peers (Cisco routers, PIXes, Cisco VPN concentrators) !!! all follow the standard crypto map config on the physical interface. !!! i.e.
Pros for the Virtual-Template:
- separate QoS for each tunnel
- ACLs configured directly on the tunnel interface (grater flexibility)
- tunnel end-point IP address can be part of a range BGP advertised via multiple ISP links
Cons:
- hub config, the tunnel needs to be reseted by the peer
Any help is very much appreciated. Thank you, Adrian