Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2083
Views
0
Helpful
6
Replies

IPSEC Crypto Map interface statement..

CSCO10168280
Level 1
Level 1

‎03-18-2020 10:30 AM

Hi folks,

 

I'm seeing this command on an interface and trying to understand it's function:

 

interface GigabitEthernet0/0/0
ip address x.x.x.x 255.255.255.252
ip nat outside
ip access-group vpn_in in
load-interval 30
negotiation auto
crypto map VPN
end

---

There is are several crypto maps named crypto VPN xxxx such as :

 

crypto map VPN 1000 ipsec-isakmp
description ::xxxxx:
set peer 111.93.x.x
set security-association lifetime seconds 28800
set transform-set VPN1
match address xxx

 

and these are up but I have other IPSEC configuration for other tunnels that are not listed here and are down.

 

I have those configured on another router along with the same crypto VPN xxx tunnels and they're working but that other router doesn't have this interface "crypto map VPN" statement on it.

 

So i guess my question why is it needed - does it just limit the VPN connections ot only be from that specific map?

 

Labels:
0 Helpful
6 Replies 6

Cristian Matei
VIP Alumni
VIP Alumni

‎03-18-2020 12:17 PM

Hi,

 

   Crypto-Map IPsec VPN's are also known as policy-based IPsec VPN's; crypto-map by itself is just one block within Cisco's implementation of policy-based VPN's; it's the block which triggers the IKE negotiation and the IKE/IPsec tunnels to be build. Only one static crypto-map can be applied per interface and this is not a restriction, you just don't need more than one; each crypto map sequence number entry means one more tunnel build on that interface.

  If the other device is also Cisco, and it doesn't have a crypto map applied or configured, it means it's using VTI (Virtual Tunnel Interface) IPsec or IPsec over GRE.

 

Regards,

Cristian Matei.

0 Helpful

CSCO10168280
Level 1
Level 1
In response to Cristian Matei

‎03-18-2020 05:18 PM

Thanks,

 

The other device also has policy-based VPN's and route-based VPNs working over the same interface.

 

On this route router I have route-based VPN's configured also but they won't come up. I was wondering what this interface statement did because it's the only difference between the two routers.

 

I suspect it's not needed and might be blocking the route-based VPN's from coming up but I didn't want to remove it without getting a proper explanation as to the purpose of this specific interface command.

 

 

 

 

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to CSCO10168280

‎03-19-2020 09:50 AM

Hi,

 

    Ok. If it still doesn't work, provide the following:

            - full configuration of the devices

            - what are the IP addresses used to terminate each VPN tunnel on each side

            - what traffic needs to be secured by each VPN tunnel

 

Regards,

Cristian Matei.

0 Helpful

CSCO10168280
Level 1
Level 1
In response to Cristian Matei

‎03-19-2020 12:56 PM - edited ‎03-19-2020 12:58 PM

Hey thanks,

 

I'm 100% certain that the config is good. I've deployed the same config on the other router and it works.

The only difference is this "crypto map xxx" statement on the egress interface.

 

I was really just asking if anyone knew the exact purpose of this command because it seems like policy-based VPN's configured in the same way on the other router are still working just the same without it as well as route-based VPN's but route-based VPN's are not working on this device with this command in place.

 

This is production so I can't just remove the command to see if it works before fully understanding the exact function of this command.

 

 

 

 

0 Helpful

Spooster IT Services
Level 7
Level 7
In response to CSCO10168280

‎03-20-2020 08:42 AM - edited ‎03-20-2020 08:45 AM

@CSCO10168280 ,

 

The issue you are facing is due to the below non-supported features. See below

Physical Interface and Crypto Map
A crypto map on a physical interface is not supported, if the physical interface is the source interface of a tunnel protection interface.

 

The conclusion is that the route-based and policy-based VPN can't co-exist on the same physical interface.

You need to remove one.

 

Check out the below link  for more information:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html

 

 

Please rate if you find my answer useful.

Spooster IT Services Team
0 Helpful

CSCO10168280
Level 1
Level 1
In response to Spooster IT Services

‎03-20-2020 06:41 PM

Thanks but actually it is working.

 

This particular site has a FW between this router and the internet which all the other sites do not so I wasn't aware.

 

The FW was dropping the udp500 packets.

 

Thanks again all. Also the other router does actually have this interface command also - the person that sent it to me copied it from the wrong router.

0 Helpful
Customers Also Viewed These Support Documents