IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
1 post • Page 1 of 1
Dear all, I have the following configuration: crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map cisco 1 set transform-set mysetcrypto map dyn-map 20 ipsec-isakmp dynamic ciscocrypto map dyn-map interface outsidecrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 86400tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key ************* This configuration is working for a single dynamic peer, and it actually works also if I add peers with the same pre-shared-key. However I would like to add different tunnel groups for many different dynamic peers in order to have different preshared keys for each one; I tried many times but I can see neither phase 1 working. Can someone help me with this? Many thanks.
You would only need to configure 1 dynamic map for all the different groups to connect. To configure different pre-share key, you can create multiple tunnel-group. Example:tunnel-group <name-of-new-group> type remote-accesstunnel-group <name-of-new-group> ipsec-attributes pre-shared-key <the-actual-preshared-key> So to put it into context:tunnel-group group-A type remote-accesstunnel-group group-A ipsec-attributes pre-shared-key group-A-password tunnel-group group-B type remote-accesstunnel-group group-B ipsec-attributes pre-shared-key group-B-password So for group-A, the groupname that you enter into the vpn client will be group-A, and the preshared key is group-A-password. Hope that helps.
Hi Jennifer, thanks for the reply.Maybe I explained myself in a bad way: the multiple dynamic peers aren users but soho routers (like zyxel, netgear); its not possible to use the vpn client with them. My doubt is if its possible to do this kind of configuration. Many thanks.Luca
If its dynamic to static LAN-to-LAN IPSec tunnel, then the answer is no, you can define different pre-shared-key for dynamic lan-to-lan tunnels because the peer ip address could be different. However, if the peer address is static, then you can create static crypto map (however, that requires static configuration for each remote peer).