All_about_network

Ok so from the previous post is clear how to make one tunnel using IPSec, IKE and isakmp.

So what if the situation is that you need multiple tunnels on one ip interface.

There is a limitation of one IPSec policy being applied on particular interface at one time so it is impossible to use more various policies. But there is a workaround – using sequence numbers in ipsec one policy.

So if you want to have multiple Tunnels – prepare everything the same as you did for the first peer (this means IKE proposal, IKE peer, IPSec proposal – of course with different names/numbers).

The main change is that you will add a subsequent IPSec policy . So if you have IPSec policy 1 10 (first tunnel) now you add ipsec policy 1 20. This will do the trick. On the interface Ethernet  you can still have only ipsec policy 1 and it will use both the configured tunnels according to the ACL match.

Some remarks I have noticed:

There is always a need for default route (do not ask me why) even thou the correct route was in the routing table delivered via ospf it was not working until I have added the default route.

You can use combination of ike proposals and ipsec proposal in the way of re-using them in new IPSec policies (but this makes things a little bit confusing).

The last thing is usage of IPSec policies – this allows you using even more combination of all the parts but it was not working too good for me.

Details about how to do this stuff with IPSec policies and how to do some advanced tunneling with l2tp in combination with ipsec and hopefully some “VPN” concentrator will be in next post.

Anyway sample config is here:

#
ike proposal 1
encryption-algorithm aes-cbc 256
dh group2
sa duration 28800
#
ike proposal 2
encryption-algorithm aes-cbc 256
dh group2
sa duration 28800
#
ike peer 1
pre-shared-key to2test
remote-address 192.168.3.1
local-address 192.168.10.1
#
ike peer 2
pre-shared-key TMtest
remote-address 192.168.2.1
local-address 192.168.10.1
#
ipsec proposal 1
esp authentication-algorithm sha1
esp encryption-algorithm aes 256
#
ipsec proposal 2
esp authentication-algorithm sha1
esp encryption-algorithm aes 256
#
ipsec policy 1 10 isakmp
security acl 3005 aggregation
ike-peer 1
proposal 1
#
ipsec policy 1 20 isakmp
security acl 3006
ike-peer 2
proposal 2
#
acl number 3005
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 30.30.30.254 0
rule 10 permit icmp source 192.168.1.0 0.0.0.255 destination 30.30.30.254 0
acl number 3006
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 20.20.20.254 0
rule 10 permit icmp source 192.168.1.0 0.0.0.255 destination 20.20.20.254 0
#
interface Aux0
async mode flow
#
interface Ethernet0/0
description ***to_internet***
ip address 192.168.10.1 255.255.255.0
ipsec policy 1