Search this Blog

Thursday, April 7, 2011

How to configure two VPNs over a serial interface?

Qsolved Question : Two Companys want to use one serial Connection between two routers. The networks 10.28.228.0 and 10.28.229.0 belong to the one company and the networks 10.29.72.0 and 10.29.106.0 to the other company. For separate causes we want to create two VPN Tunnels with IPsec. The max. Bandwith is 2MB/s. The configuration on the serial Sub interfaces it isn't possible to encapsulation ppp in our routers.

Without Sub interfaces and one VPN Tunnel with IPsec on the serial interface with ppp its working fine.

version 12.4

service timestamps debug date time

service timestamps log datetime

service password-encryption

!

hostname beh2turm

!

boot-start-marker

boot system flash:c1841-advsecurityk9-mz.124-23.bin

boot-end-marker

!

logging buffered 51200 warnings

no logging rate-limit

enable secret 5 ****

!

aaa new-model

!

!

aaa authentication login conmethod group tacacs+ enable

aaa authentication login vtymethod group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

aaa session-id common

clock timezone CET 1

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip domain name gsta.verwalt-berlin.de

!

!

crypto pki trustpoint TP-self-signed-3134403343

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3134403343

revocation-check none

rsakeypair TP-self-signed-3134403343

!

!

crypto pki certificate chain TP-self-signed-3134403343

certificate self-signed 01

30820257 ****

530A9F

quit

archive

log config

hidekeys

!

!

!

!

crypto isakmp policy 12

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 14

encr 3des

hash md5

authentication pre-share

crypto isakmp key halfspeed address 10.29.40.49

crypto isakmp key halfspeed address 10.29.40.17

!

!

crypto ipsec transform-set encrypt-3des esp-3des

!

crypto map BEH 12 ipsec-isakmp

set peer 10.29.40.17

set transform-set encrypt-3des

match address 130

!

crypto map GB 14 ipsec-isakmp

set peer 10.29.40.49

set transform-set encrypt-3des

match address 150

!

!

interface FastEthernet0/0

description zum Grundbuch

ip address 10.28.229.1 255.255.255.0

no shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 10.29.106.240 255.255.255.0

ip helper-address 10.29.80.56

ip helper-address 10.29.80.55

ip directed-broadcast

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

!

interface Serial0/0/0.1

description zur STA

autodetect encapsulation ppp

bandwidth 1500000

ip address 10.29.40.18 255.255.255.252

crypto map BEH

!

interface Serial0/0/0.2

description zum AG

autodetect encapsulation ppp

bandwidth 500000

ip address 10.29.40.50 255.255.255.252

crypto map TUNNEL-GB

!

no ip forward-protocol nd

ip route 10.28.228.0 255.255.255.0 10.29.40.49

ip route 10.29.50.0 255.255.255.0 10.29.40.17

ip route 10.29.60.0 255.255.255.0 10.29.40.17

ip route 10.29.80.0 255.255.254.0 10.29.40.17

ip route 10.29.82.0 255.255.254.0 10.29.40.17

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

logging origin-id hostname

logging 10.29.50.2

!

access-list 130 permit ip any any

access-list 150 permit ip any any

!

snmp-server community public RO

snmp-server community private RW

snmp-server enable traps tty

!

tacacs-server host 10.29.50.2

tacacs-server directed-request

tacacs-server key 7 ****

!

control-plane

!

banner motd ^Geraet mit AAA konfiguriert!^

!

line con 0

exec-timeout 3 0

password 7 ***

login authentication conmethod

line aux 0

line vty 0 4

exec-timeout 20 0

privilege level 15

password 7 ***

login authentication vtymethod

transport input ssh

line vty 5 15

exec-timeout 5 0

privilege level 15

password 7 ***

login authentication vtymethod

transport input ssh

!

scheduler allocate 20000 1000

ntp clock-period 17178612

ntp peer 10.29.40.17

end

How do we configure two VPNs over a serial interface (see fig)?

Qsolved Answer: Unfortunately I do not believe that it is possible to set up 2 separate VPN tunnels running over a single serial interface between the same 2 routers.

Would it be feasible to run a single VPN tunnel to transport traffic for both companies over the serial link. And to use ACL to make sure that a source from company 1 could only access destination of comapny 1?

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */