cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3080
Views
0
Helpful
4
Replies

crypto map sequence number's role

mario.laniel
Level 1
Level 1

I'm configuring IPSEC within four sites in a fully meshed fashion. The problem that I have is one of the sites is our main hub and everything runs on a Class B network. Creating ACLs to get from one site to another is relatively simple but getting from one site to the main hub is another story, since the other sites are all subnets of the Class B address, I have to remove those subnets from the Class B and at the same time encrypt the rest of the class B address. The subnets from the smaller sites are mostly /24 and /25. I was wondering if the sequence # in the crypto map command could play a role for me. If I put the highest priority on the small sites and put the lowest on the crypto map pointing to the main hub could I get away with something like this:

permit x.x.x.x (local subnet)0.0.0.255 x.x.x.x (full class B)0.0.255.255

thanks in advance for taking the time.

Mario

1 Accepted Solution

Accepted Solutions

Mario ... that is exactly how it works for both ISAKMP policy's and Crypto Map Policies. It will look at the lowest number (highest prioriy) so if you make your remote sites all higher priority (lower number) then you should be fine in regards to the central site.

Regards,

View solution in original post

4 Replies 4

mklaphek
Level 1
Level 1

I believe that you're talking about access-lists for defining interesting (IPSec) traffic. If this is the case, then you should be able to define it fairly simply. Assume that Remote Site 1 has the range 172.16.20.0/24 and Remote Site 2 has the range 172.16.30.0/24 and the Main Site has the range 172.16.0.0/20, you could still deinfe the crypto-map access-lists as follows:

Main Site:

access-list 100 permit ip 172.16.0.0 255.255.0.0 172.16.20.0 255.255.255.0

access-list 101 permit ip 172.16.0.0 255.255.0.0 172.16.30.0 255.255.255.0

Remote Site 1:

access-list 120 permit ip 172.16.20.0 255.255.255.0 172.16.0.0 255.255.0.0

Remote Site 2:

access-list 130 permit ip 172.16.30.0 255.255.255.0 172.16.0.0 255.255.0.0

This only defines what interesting traffic is.

The crypto-map sequence numbers don't provide a priority as far as I know.

Hope this helps

This is fine for site 1 to main site or site 2 to main site. What about site 1 to site 2 and still be able to do site 1 to main site.

This is what I had in mind:

crypto map config from site-1

crypto map VPNTRIAL 12 ipsec-isakmp

set peer 172.16.56.161

set transform-set CRYPT3DES

set pfs group2

match address crypto/to-main-site

!

crypto map VPNTRIAL 11 ipsec-isakmp

set peer 172.16.56.86

set transform-set CRYPT3DES

set pfs group2

match address crypto/to-site-2

!

crypto map VPNTRIAL 10 ipsec-isakmp

set peer 172.16.56.130

set transform-set CRYPT3DES

set pfs group2

match address crypto/to-site-3

acl from site 1

ip access-list extended crypto/to-main-site

deny ip host 172.16.56.66 host 172.16.56.161

deny ospf any any

permit ip 172.16.84.128 0.0.0.127 172.16.0.0 0.0.255.255

permit ip 172.16.84.128 0.0.0.127 10.0.0.0 0.255.255.255

!

ip access-list extended crypto/to-site-2

deny ip host 172.16.56.66 host 172.16.56.86

deny ospf any any

permit ip 172.16.84.128 0.0.0.127 172.16.185.128 0.0.0.127

!

ip access-list extended crypto/to-site-3

deny ip host 172.16.56.66 host 172.16.56.130

deny ospf any any

permit ip 172.16.84.128 0.0.0.127 172.16.259.0 0.0.0.255

As you can see the crypto map for the main site has a sequence # of 12, site-2 a sequence of 11 and site-3 a sequence of 10.

I've just tried this in a lab simulation and the sequence number does seems to have a priority, the lower the number the higher the priority. In a config like this when I send traffic from site-1 to site-2 the tunnel get established properly and only between the two sites even though packets hits both acl's, the one to the main site and the one to site-2.

It seems to me that only some kind of priority could do that and I "guess" that the sequence # must be playing that role.

Regards,

Mario

Mario ... that is exactly how it works for both ISAKMP policy's and Crypto Map Policies. It will look at the lowest number (highest prioriy) so if you make your remote sites all higher priority (lower number) then you should be fine in regards to the central site.

Regards,

Thanks Jason,

This will make my crypto acl's a lot smaller in regards to the main site.

Thanks again for taking the time.