Doing a multisite VPN setup with at least one UC520

It is possible to do a multisite VPN setup, as long as you have the following:
- A UC520 at one site
- A UC520, SR520, or ISR with a VPN-capable version of IOS at the other sites

This setup will connect the voice and data subnets at each of the sites in the multisite VPN setup.

You need to do the following on each of the routers used in the multisite setup, whether it be a UC520, SR520, or VPN-capable ISR:
1. Be sure that the WAN interface does not have a crypto map associated with it.
2. Be sure that the SDM_CMAP_1 crypto map is deleted, if it exists.
3. Be sure that the SDM_DYNMAP_1 crypto map is deleted, if it exists.
4. Be sure that in the inbound ACL used by the WAN interface, entries similar to "permit ip host 192.168.10.245 any" or "192.168.10.245 192.168.10.0 0.0.0.255" are removed from the ACL. You should leave the other ACL entries alone. The inbound ACL for the WAN interface should look like the following:
10 permit udp any any eq ntp
20 permit udp any any eq non500-isakmp
30 permit udp any any eq isakmp
40 permit esp any any
50 permit ahp any any
60 deny ip 10.1.10.0 0.0.0.3 any
70 deny ip 10.1.1.0 0.0.0.255 any
80 deny ip 192.168.10.0 0.0.0.255 any
90 permit udp any eq bootps any eq bootpc
100 permit icmp any any echo
110 permit icmp any any echo-reply
120 permit icmp any any time-exceeded
130 permit icmp any any unreachable
140 permit udp any any eq 5060
150 permit udp any eq 5060 any
160 permit udp any any range 16384 32767
170 permit udp any any eq domain
180 deny ip 10.0.0.0 0.255.255.255 any
190 deny ip 172.16.0.0 0.15.255.255 any
200 deny ip 192.168.0.0 0.0.255.255 any
210 deny ip 127.0.0.0 0.255.255.255 any
220 deny ip host 255.255.255.255 any
230 deny ip any any log
5. The ACL used for determining whether or not to use Network Address Translation (NAT) for an address should look like the following:
10 permit ip 10.1.10.0 0.0.0.3 any
20 permit ip 192.168.10.0 0.0.0.255 any
30 permit ip 10.1.1.0 0.0.0.255 any
6. Be sure that something similar to the following is in your router configuration:
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key c1Sc0ezVPN
pool EZVPN_POOL_1
max-users 8
!
crypto ipsec transform-set ESP_AES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
!
ip local pool EZVPN_POOL_1 192.168.10.245 192.168.10.254
7. You will need to now add the following to your router configuration (NOTE: If the BVI1 interface is not configured on your router, use the Vlan1 interface instead):
crypto isakmp profile EZVPN-RA
match identity group EZVPN_GROUP_1
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec profile EZVPN-VTI
set transform-set ESP_AES_SHA ESP_3DES_SHA
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
ip nat inside
ip virtual-reassembly
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZVPN-VTI
8. You have now set up the Easy VPN Server using a Virtual Tunnel Interface (VTI).
9. To set up a tunnel between site A and site B, you need to configure the following on the site A router (NOTE: If the BVI1 interface is not configured on your router, use the Vlan1 interface instead. If your WAN interface is not the FastEthernet0/0 interface, enter the appropriate WAN interface instead of the FastEthernet0/0 interface.):
crypto keyring A-to-B-Keyring
pre-shared-key address <site B address> key siteAtoB
!
crypto isakmp profile A-to-B-KeyProfile
keyring A-to-B-Keyring
match identity address <site B address> 255.255.255.255
!
crypto ipsec profile A-to-B-Tunnel
set transform-set ESP_AES_SHA ESP_3DES_SHA
set isakmp-profile A-to-B-KeyProfile
!
interface Tunnel0
description Site A to B tunnel
ip unnumbered BVI1
tunnel source FastEthernet0/0
tunnel destination <site B address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile A-to-B-Tunnel
!
! Add ip route entries for each of the subnets that need to be routed to site B
!
! Note that these subnets must be different from those directly
! connected to the Site A router
!
ip route 10.1.2.0 255.255.255.0 Tunnel0
ip route 10.1.11.1 255.255.255.252 Tunnel0
ip route 192.168.11.1 255.255.255.0 Tunnel0

10. To set up a tunnel between site A and site B, you need to configure the following on the site B router (NOTE: If the BVI1 interface is not configured on your router, use the Vlan1 interface instead. If your WAN interface is not the FastEthernet0/0 interface, enter the appropriate WAN interface instead of the FastEthernet0/0 interface.):
! Note: The pre-shared-key used for the tunnel between site A
! and site B must match on both routers
crypto keyring A-to-B-Keyring
pre-shared-key address <site A address> key siteAtoB
!
crypto isakmp profile A-to-B-KeyProfile
keyring A-to-B-Keyring
match identity address <site A address> 255.255.255.255
!
crypto ipsec profile A-to-B-Tunnel
set transform-set ESP_AES_SHA ESP_3DES_SHA
set isakmp-profile A-to-B-KeyProfile
!
interface Tunnel0
description Site A to B tunnel
ip unnumbered BVI1
tunnel source FastEthernet0/0
tunnel destination <site A address>
tunnel mode ipsec ipv4
tunnel protection ipsec profile A-to-B-Tunnel
!
! Add ip route entries for each of the subnets that need to be routed to site A
!
! Note that these subnets must be different from those directly
! connected to the Site B router
!
ip route 10.1.1.0 255.255.255.0 Tunnel0
ip route 10.1.10.1 255.255.255.252 Tunnel0
ip route 192.168.10.1 255.255.255.0 Tunnel0

11. I have included voice subnets in the ip route commands, because scenarios such as those below require this setup:
a. Multiple UC520s connected to a single CallConnector server
b. An 871, SR520, or other non-voice capable router using a remote UC520 for telephony services and voicemail
c. Abbreviated site-to-site dialing
d. Use of Cisco IP Communicator softphone at a secondary site

These documents have helped me do this kind of setup:

• IPSec Virtual Tunnel Interface - http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm...
• Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) - http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635...

The UC520 actually does have the Virtual Tunnel Interface capabilities, and these capabilities are very useful. However, you cannot configure VPNs using Virtual Tunnel Interfaces using Cisco Configuration Assistant. They must be configured using the command line interface. Virtual Tunnel Interfaces enable us to configure both Easy VPN Server and site-to-site VPNs on the same UC520.