IPSec Non-Meraki VPN Peer With Other Active Tunnels

SOLVED
MFisher
Here to help

IPSec Non-Meraki VPN Peer With Other Active Tunnels

We need to create a "Non-Meraki VPN Peer" between an MX68 and Cisco 1841 router.  The trick is, this router already hosts multiple IPSec tunnels to other Cisco routers using Tunnel interfaces and a single public interface.

 

Is it possible to create a "Non-Meraki VPN Peer" between the MX68 and C1841 while keeping the current tunnels active.

 

All resources show a physical interface on the non-meraki appliance with a public IP that the IPSec/Crypto configurations are applied to.  Doing so would break our current tunnels however.  Sample router config below.


object-group network REMOTE
host X.X.X.X
host Y.Y.Y.Y
!
crypto isakmp policy 5
encr aes 192
authentication pre-share
group 14
crypto isakmp key KEY address X.X.X.X
crypto isakmp key KEY address Y.Y.Y.Y
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set VTI esp-aes 192 esp-sha-hmac
!
crypto ipsec profile PROF1
set transform-set VTI
!
!
interface Tunnel0
ip address 10.255.255.62 255.255.255.252
ip tcp adjust-mss 1380
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination X.X.X.X
tunnel protection ipsec profile PROF1
!
interface Tunnel1
ip address 10.255.252.62 255.255.255.252
ip tcp adjust-mss 1380
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination Y.Y.Y.Y
tunnel protection ipsec profile PROF1
!
interface FastEthernet0/0
ip address Z.Z.Z.Z 255.255.255.248
ip access-group OUTSIDE in
no ip redirects
no ip unreachables
duplex auto
speed auto
no cdp enable
no mop enabled
!
!
router eigrp 55555
network 10.255.252.60 0.0.0.3
network 10.255.255.60 0.0.0.3
passive-interface default
no passive-interface Tunnel0
no passive-interface Tunnel1
!
!
ip route X.X.X.X 255.255.255.255 Z.Z.Z.Y name TUN0
ip route Y.Y.Y.Y 255.255.255.255 Z.Z.Z.Y name TUN1
ip tacacs source-interface Loopback0
ip access-list extended OUTSIDE
permit esp object-group REMOTE host Z.Z.Z.Z
permit udp object-group REMOTE host Z.Z.Z.Z eq isakmp
permit udp object-group REMOTE host Z.Z.Z.Z eq non500-isakmp
deny ip any any

 

1 ACCEPTED SOLUTION
Foysol
Here to help

interface Tunnel2
ip unnumbered FastEthernet0/0
ip tcp adjust-mss 1380
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination Y.Y.Y.Y
tunnel protection ipsec profile (Profile_Name)

 

ip route X.X.X.X (Destination LAN Subnet) Tunnel2


Please create IPsec Phase 1 / Phase 2 policy and Transform-set. Configuration (IPSec Policy and TS) need to match both the end.

View solution in original post

2 REPLIES 2
Foysol
Here to help

interface Tunnel2
ip unnumbered FastEthernet0/0
ip tcp adjust-mss 1380
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel destination Y.Y.Y.Y
tunnel protection ipsec profile (Profile_Name)

 

ip route X.X.X.X (Destination LAN Subnet) Tunnel2


Please create IPsec Phase 1 / Phase 2 policy and Transform-set. Configuration (IPSec Policy and TS) need to match both the end.

That "ip unnumbered FastEthernet0/0" did the trick!

 

Thanks for the help!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels