Re: Crypto Map not applied on any interface

sarpareashish · ‎04-09-2020

Hi All,

I have IPsec crypto configuration available on one of my router. Crypto map is configured with local-address command with WAN interface. But crypto map is not applied on any interface. As per my knowledge, if crypto map is not applied on any interface then IPsec will not be in use. Please confirm.

Also WAN IPs are permitted instead of LAN subnet in access list.

Below is the example config for the same.

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 6000
crypto isakmp key 6 test address 10.10.10.2
crypto isakmp aggressive-mode disable
crypto ipsec transform-set teset esp-3des esp-sha-hmac
mode tunnel
crypto map MAP local-address FastEthernet0/0
crypto map MAP 10 ipsec-isakmp
set peer 10.10.10.2
set transform-set teset
match address 100

Extended IP access list 100
10 permit gre host 10.10.10.1 host 10.10.10.2

Rob Ingram · ‎04-09-2020

Hi,
If the crypto map is not set under an interface it’s likely it’s not in use.

Do you have a tunnel interface on the router?....this could be using the ipsec configuration and the crypto map is legacy.

Run “show crypto ipsec as” and “show crypto isakmp sa” to confirm.

HTH

sarpareashish · ‎04-09-2020

I don't have any tunnel interface.

Also please confirm the local-address command use here. Is it only used for source IP address? Will it apply crypto map on that interface?

Thanks in advance.

Rob Ingram · ‎04-10-2020

The "local-address" command specifies the IP address that is the source for IPSec on the local router - this is usually a loopback interface. This IP address obviously needs to be routable from the peer router.

You still need to apply the crypto map to the physical egress interface, regardless of whether you are using the "local-address" command or not. e.g:-

interface GigabitEthernet0/0
 crypto map MAP

HTH