topic Re: c2921 interface apply crypto map in Network Security

c2921 interface apply crypto map

Chin Chang — Wed, 26 Jun 2024 03:31:47 GMT

Hello, please refer my image, and my questions are these:
1.
The solution for crypto map, is it working 2 nodes only?
In my environment, packets from R1 to R2 are crypto, but I need R1 to R3 crypto also. So I want to understand this setting crypto map is working 2 nodes only? Or what can I adjust config?
2.
In crypto map solution, packets from R1 to R2 that needs crypto, from R1 to R4 that not needs crypto.
Can it do it? Or crypto map is not correct solution in this environment?

Re: c2921 interface apply crypto map

balaji.bandi — Wed, 26 Jun 2024 05:00:56 GMT

You need to configure Hub and Spoke model

check below example configuration :

https://www.techtutsonline.com/multiple-site-to-site-vpn-tunnels-on-one-cisco-router/#Configuration_of_VPN_Between_R1_and_R2

If you looking spoke to spoke - then you need to look DMVPN or GetVPN solution (you can google it you get N number of examples)

Re: c2921 interface apply crypto map

Chin Chang — Wed, 26 Jun 2024 06:49:33 GMT

Hi BB,
Thank your info, but I'm learning your external link, still failed.
And my 「show crypto isakmp sa」seems working.
Maybe I will try DMVPN solution.

Re: c2921 interface apply crypto map

balaji.bandi — Wed, 26 Jun 2024 06:52:14 GMT

but I'm learning your external link, still failed.

Not sure i get this - can you give more clarity ?

Maybe I will try DMVPN solution.

sure that will be way move forward hub and spoke and spoke to spoke.

Re: c2921 interface apply crypto map

M02@rt37 — Wed, 26 Jun 2024 07:54:42 GMT

Hello @Chin Chang

Check here: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/14133-ios-hub-spoke.html

Re: c2921 interface apply crypto map

MHM Cisco World — Wed, 26 Jun 2024 08:25:45 GMT

Notes

1-You use hub not SW connect four routers

2- you test by ping router itself and this not way to tesr ipsec

3- there is no config of acl use in ipsec?

MHM

Re: c2921 interface apply crypto map

Chin Chang — Thu, 27 Jun 2024 08:31:14 GMT

Hi M02@rt37,
Thank your support, but I still failed. I have refer Cisco doc, and same config.
In my test, the router dr_whoovie have crypto session with sam-I-am, but not crypto session with thidwick.
And then, sam-I-am interface shutdown / no shutdown, dr_whoovie have session with thidwick, not crypto session with sam-I-am.
So in my test environment, the crypto session seems working on first 2 nodes, not work in third node. And point to point only, not multipoint.

Re: c2921 interface apply crypto map

Chin Chang — Fri, 28 Jun 2024 09:55:01 GMT

Hi MHM,
1-You use hub not SW connect four routers
>>thank your remind, I have replace it by c2960 switch, and other config, environment are same. still failed.

2- you test by ping router itself and this not way to tesr ipsec
>>my ping is from R1 interface to R2 interface, should I add PC nodes behind the router? and ping from PC1 to PC2? maybe I will try it.

3- there is no config of acl use in ipsec?
>>my ipsec has ACL config, but it is permit ip any any.
the reason is require ACL command, can not empty.

Re: c2921 interface apply crypto map

MHM Cisco World — Fri, 28 Jun 2024 10:11:01 GMT

do below
note:-
1-LO is meaning Loopback
2- ping from LO to LO (use source in ping) to test IPsec
3- Spoke have default route toward R4
4- Hub have static route for each LO connect to Spoke

MHM

Re: c2921 interface apply crypto map

Chin Chang — Sat, 29 Jun 2024 18:49:54 GMT

Thank your help, still failed.
Currently, we will plan DMVPN, give up crypto map.

Re: c2921 interface apply crypto map

MHM Cisco World — Sat, 29 Jun 2024 18:54:48 GMT

To be honest I prefer using dmvpn for hub and spoke' even if I am sure the crypto map I share it work.

But using legacy crypto map in present of dmvpn is bad idea

MHM

Re: c2921 interface apply crypto map

MHM Cisco World — Sat, 29 Jun 2024 19:07:02 GMT

If I have time I will share lab maybe tomorrow

MHM

Re: c2921 interface apply crypto map

Chin Chang — Sat, 29 Jun 2024 20:23:03 GMT

Hi MHM,
thank you so much for support.
i'm familiar DMVPN, if i met trouble, i will post in community, tks!

Re: c2921 interface apply crypto map

MHM Cisco World — Sat, 29 Jun 2024 20:49:55 GMT

You are so welcome

MHM