Cisco 2800 - Multiple VPNs Using Virtual-Template

Hello List,

I have a question related to the way of setting up multiple VPNs using virtual-template configuration (Cisco calls this Dynamic VPN): how can I make my configuration to be a "spoke" type VPN rather than "hub" type without using "crypto map" on the physical interface? Here is how it works now (the VPN hub config):

!!! the VPN hub config ! crypto keyring PSKs pre-shared-key address key 6 ************ ! crypto isakmp profile ISAKMP_Profile keyring PSKs self-identity address match identity address 255.255.255.255 virtual-template 1 ! crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac ! crypto ipsec profile IPSEC_Profile set transform-set Transform_Set set isakmp-profile ISAKMP_Profile ! interface Loopback1007 description This is a public IP address from a range routed via my gatey IP address (see bellow) ip address 255.255.255.255 no ip redirects ! interface Multilink1 description This is my gateway IP address facing the ISP ip address 255.255.255.252 no ip redirects no ip unreachables ip nbar protocol-discovery ip nat outside ip virtual-reassembly rate-limit input access-group 102 8000 1500 2000 conform-action transmit exceed-action drop ip route-cache flow no cdp enable ppp multilink ppp multilink fragment delay 20 ppp multilink interleave ppp multilink group 1 ppp multilink multiclass service-policy output qos_pm-outbound ! interface Serial0/0/0 description 1st Serial Interface to ISP bandwidth 2048 no ip address encapsulation ppp ip route-cache flow no fair-queue ppp multilink ppp multilink group 1 ! interface Serial0/0/1 description 2nd Serial Interface to ISP bandwidth 2048 no ip address encapsulation ppp ip route-cache flow no fair-queue ppp multilink ppp multilink group 1 ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1007 ip access-group vpn_acl-tunnel-encr-in in ip access-group vpn_acl-tunnel-encr-out out ip mtu 1400 ip route-cache flow tunnel source Loopback1007 tunnel mode ipsec ipv4 tunnel sequence-datagrams tunnel checksum tunnel path-mtu-discovery tunnel protection ipsec profile IPSEC_Profile service-policy output qos_pm-VPN ! ip access-list extended vpn_acl-tunnel-encr-in permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ip access-list extended vpn_acl-tunnel-encr-out permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255

!!! the Spoke VPN is configured by my peers (Cisco routers, PIXes, Cisco VPN concentrators) !!! all follow the standard crypto map config on the physical interface. !!! i.e.

formatting link
It is obvious that with my router configured as a VPN hub, if the tunnel dies, I need to wait for the peer to reset the tunnel, all this time my clients in my network are not able to access the remote sites. The reason to use the virtual-template interfaces as suppose to traditional "crypto map" way, is that my peers do not want to share the same VPN end-point between themselves (different companies all together) and they are very strict in regards to ACLs. As I don't have a VPN device for each one of them and their number increases (I have 5 separate tunnels right now with a potential grow to 15 in the next 3 months), I need to find a way to get rid of the hub config in my end (I did not have much choice there when I migrated to this platform from a linux box).

Pros for the Virtual-Template:

- separate QoS for each tunnel

- ACLs configured directly on the tunnel interface (grater flexibility)

- tunnel end-point IP address can be part of a range BGP advertised via multiple ISP links

Cons:

- hub config, the tunnel needs to be reseted by the peer

Any help is very much appreciated. Thank you, Adrian

Reply to
AdrianT
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.