Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
327
Views
0
Helpful
2
Replies

Crypto profiles and maps on same router

ron_brewer
Level 1
Level 1

‎04-18-2005 09:09 AM - edited ‎03-09-2019 10:59 AM

We are looking at rolling out DMVPN at a location that will need to keep static VPN's to customer sites where we don't manage the remote VPN server. Has anyone had success with running crypto profiles on the tunnel0 interface along with a crypto map on the physical interface (that happens to be the source interface for the virtual tunnel0 interface)? I can't find any sample code or verification on Cisco's website that profiles/maps can be run together.

Thanks,

Ron

Labels:
0 Helpful
2 Replies 2

thisisshanky
Level 11
Level 11

‎04-18-2005 09:44 AM

Yeah, I have set up one last week. I create DMVPN to remote sites using IPSEC profiles, while use static crypto maps between hubs, Both run over the same ethernet interface which connects to the internet. To keep the tunnel up all time you can run EIGRP over it and that also helps in populating dynamic routes. Which traffic is encrypted over the static tunnel, is decided by the interesting traffic defined by the ACL applied to the crypto map.

As far as DMVPN is concerned, it does not interfere with static crypto maps. It brings up the tunnel (always up tunnel) using NHRP mappings and GRE tunnel. Once the tunnel is up, the routing protocol used will decide where to send the data. Any data that is routed through the tunnel interface is encrypted.

Hope that makes sense.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
0 Helpful

ron_brewer
Level 1
Level 1
In response to thisisshanky

‎04-19-2005 07:00 AM

Thanks. I just wanted to be sure the tunnel0 interface running the profile wouldn't bump heads with crypto map on the physical interface. I've used DMVPN at three customer sites with no problems (using OSPF at two sites and EIGRP at one site). This will be the first time where DMVPN is going to be rolled out on a device that needs to keep static tunnels to partner sites that are using Checkpoints and NetScreen firewalls maintained by other IT staff.

I see now that since the multipoint GRE tunnels will encrypt based on routing protocol neighbors, and the crypto map will use the typical ACL, the traffic should be mutually exclusive. Since you tested fine in your scenario I now understand there is no problem with the dynamic isakmp key for DMVPN versus the static isakmp key for crypto map peers.

Thanks for the reply.

0 Helpful
Customers Also Viewed These Support Documents