Re: Multiple crypto maps on the same interface

royalblues · ‎03-23-2006

I have a 3825 router which is connected to site A (172.16.2.14) and site B (172.16.2.10) routers via 2 diffrent links.

I configured crypto maps on the Hub router with differnet sequence numbers with Site A as the primary peer for network 172.32.40.0/24 except 172.32.40.240/28 and site B as Backup.

The network 172.32.40.240/28 has a primary peer to the site B and Site A as backup.

But whenever i configure a second peer on the 2nd crypto map it does not work and tries to connect only to 172.16.2.14 and no to 172.16.2.10.

My configuratrions on the hUb router are as follows

Please let me know if iam missing something in my configurations

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxx address 172.x.x.14

crypto isakmp key xxxx address 172.x.x.10

crypto isakmp keepalive 10 5 periodic

no crypto isakmp ccm

!

crypto ipsec transform-set Schwab esp-3des esp-md5-hmac

!

crypto map Ser0 1 ipsec-isakmp

set peer 172.16.2.14 default

set peer 172.16.2.10

set security-association idle-time 60 default

set transform-set Schwab

match address 115

crypto map Ser0 2 ipsec-isakmp

set peer 172.16.2.10 default

set peer 172.16.2.14

set security-association idle-time 60 default

set transform-set Schwab

match address 116

access-list 115 deny ip host 172.32.40.100 162.93.0.0 0.0.255.255

access-list 115 deny ip host 172.32.40.100 192.168.0.0 0.0.255.255

access-list 115 deny ip host 172.32.40.100 10.0.0.0 0.255.255.255

access-list 115 deny ip 172.32.40.240 0.0.0.15 10.0.0.0 0.255.255.255

access-list 115 deny ip 172.32.40.240 0.0.0.15 162.93.0.0 0.0.255.255

access-list 115 deny ip 172.32.40.240 0.0.0.15 192.168.0.0 0.0.255.255

access-list 115 permit ip 172.32.40.0 0.0.0.255 162.93.0.0 0.0.255.255

access-list 115 permit ip 172.32.40.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 115 permit ip 172.32.40.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 116 permit ip 172.32.40.240 0.0.0.15 10.0.0.0 0.255.255.255

access-list 116 permit ip 172.32.40.240 0.0.0.15 162.93.0.0 0.0.255.255

access-list 116 permit ip 172.32.40.240 0.0.0.15 192.168.0.0 0.0.255.255

Richard Burts · ‎03-25-2006

Narayan

I believe that there is a simple explanation for your symptoms. All the traffic that would be permitted in access list 116 is also permitted in access list 115. As the crypto map is processed from beginning to end the traffic matches the access list in the first part of the crypto map and never gets to the second part of the crypto map. If you want the second part of the crypto map to see the traffic you need to add this to the beginning of access list 115.

access-list 115 deny ip 172.32.40.240 0.0.0.15 10.0.0.0 0.255.255.255

access-list 115 deny ip 172.32.40.240 0.0.0.15 162.93.0.0 0.0.255.255

access-list 115 deny ip 172.32.40.240 0.0.0.15 192.168.0.0 0.0.255.255

Try it and let us know how it works.

HTH

Rick

HTH

Rick

royalblues · ‎03-25-2006

Hi Rick,

I have denied these traffic from the first access-list. If you go through the 4,5 & 6 th line of access-list 115 u will come to know.