Cisco 2800 - Multiple VPNs Using Virtual-Template

Cisco 2800 - Multiple VPNs Using Virtual-Template

Post by Adrian » Fri, 08 Dec 2006 21:30:59


ello List,

I have a question related to the way of setting up multiple VPNs using
virtual-template configuration (Cisco calls this Dynamic VPN): how can
I make my configuration to be a "spoke" type VPN rather than "hub" type
without using "crypto map" on the physical interface?
Here is how it works now (the VPN hub config):

!!! the VPN hub config
!
crypto keyring PSKs
pre-shared-key address <peer_ip> key 6 ************
!
crypto isakmp profile ISAKMP_Profile
keyring PSKs
self-identity address
match identity address <peer_ip> 255.255.255.255
virtual-template 1
!
crypto ipsec transform-set Transform_Set esp-3des esp-md5-hmac
!
crypto ipsec profile IPSEC_Profile
set transform-set Transform_Set
set isakmp-profile ISAKMP_Profile
!
interface Loopback1007
description This is a public IP address from a range routed via my
gatey IP address (see bellow)
ip address <my_VPN-hub_ip> 255.255.255.255
no ip redirects
!
interface Multilink1
description This is my gateway IP address facing the ISP
ip address <my_public_IP> 255.255.255.252
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
rate-limit input access-group 102 8000 1500 2000 conform-action
transmit exceed-action drop
ip route-cache flow
no cdp enable
ppp multilink
ppp multilink fragment delay 20
ppp multilink interleave
ppp multilink group 1
ppp multilink multiclass
service-policy output qos_pm-outbound
!
interface Serial0/0/0
description 1st Serial Interface to ISP
bandwidth 2048
no ip address
encapsulation ppp
ip route-cache flow
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Serial0/0/1
description 2nd Serial Interface to ISP
bandwidth 2048
no ip address
encapsulation ppp
ip route-cache flow
no fair-queue
ppp multilink
ppp multilink group 1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1007
ip access-group vpn_acl-tunnel-encr-in in
ip access-group vpn_acl-tunnel-encr-out out
ip mtu 1400
ip route-cache flow
tunnel source Loopback1007
tunnel mode ipsec ipv4
tunnel sequence-datagrams
tunnel checksum
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC_Profile
service-policy output qos_pm-VPN
!
ip access-list extended vpn_acl-tunnel-encr-in
permit ip 172.20.40.0 0.0.0.255 192.168.2.0 0.0.0.255
!
ip access-list extended vpn_acl-tunnel-encr-out
permit ip 192.168.2.0 0.0.0.255 172.20.40.0 0.0.0.255

!!! the Spoke VPN is configured by my peers (Cisco routers, PIXes,
Cisco VPN concentrators)
!!! all follow the standard crypto map config on the physical
interface.
!!! i.e. http://www.vpnc.org/InteropProfiles/cisco-ios.txt

It is obvious that with my router configured as a VPN hub, if the
tunnel dies, I need to wait for the peer to reset the tunnel, all this
time my clients in my network are not able to access the remote sites.
The reason to use the virtual-template interfaces as suppose to
traditional "crypto map" way, is that my peers do not want to share the
same VPN end-point between themselves (different companies all
together) and they are very strict in regards to ACLs. As I don't have
a VPN device for each one of them and their number increases (I have 5
separate tunnels right now with a potential grow to 15 in the next 3
months), I need to find a way to get rid of the hub config in my end (I
did not have much