Showing results for 
Search instead for 
Did you mean: 

Site to Site VPN on Sub-interface using HSRP issue CRYPTO MAP ON INSIDE INTERFACE???

This is my setup. 

I have a sub-interface with private IPs that also uses HSRP.   

I also have "ip nat inside" on the sub interface but have excluded networks going through the VPN. 

I have the VPN source one-to-one NAT to a public IP (not really on my Edge router

The second HSRP router is off to eliminate any extra issues, so Core1 is active (see "show standby brief below)"

The VPN looks up.


It looks like the Crpto map is not catching the Private IPs


If I trace from a computer with the IP of It hits then to the Edge device.  It should not do this, it should go through the VPN


I also made sure that is not being natted on Core1



Configs on Core1

crypto isakmp key TESTKEY address

crypto ipsec transform-set MYSET esp-aes 256 esp-md5-hmac
mode tunnel
crypto map BWI 1 ipsec-isakmp
description To-Remote
set peer
set transform-set MYSET
match address To-Remote-VPN

interface GigabitEthernet0/0/0.100
description Private
encapsulation dot1Q 100
ip address
no ip redirects
ip nat inside
standby 100 ip
standby 100 name Vlan100
standby 100 track 1 decrement 60
cdp enable
crypto map BWI redundancy Vlan100

ip access-list extended To-Remote-VPN
permit ip log


ip access-list extended NAT-SOURCE
deny ip
deny ip host any     //////////////// I do not think I need this but I added just to be safe/////////////
deny ip host any     //////////////// I do not think I need this but I added just to be safe/////////////
permit ip any




Show commands below.


Core1#sho crypto isakmp sa
dst src state conn-id status QM_IDLE 1003 ACTIVE




Core1#sho crypto ipse sa

interface: GigabitEthernet0/0/0.100
Crypto map tag: BWI, local addr

protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.:, remote crypto endpt.:
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0.100
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


/////////////////////////////////////////////as you can see the VPN is up///////////////////////////////////


SCore11#sho stan b
P indicates configured to preempt.
Interface Grp Pri P State Active Standby Virtual IP
Gi0/0/0.10 100 150 P Active local unknown





To recap:

The VPN is up but it seems like the IPs are not hitting the crypto map entering or exiting.  I feel like this is a simple fix.  I feel like I am just overlooking something.  I have setup VPNs hundreds of time but not like this...


If I send packets for the remote side and issue the command "sho crypto ipse sa"  I can see packets getting encrypted and if I issue the same command on Core1 I do not see any packets being decrypted.



Thanks for your input :) 

Everyone's tags (3)
Hall of Fame Guru

Re: Site to Site VPN on Sub-interface using HSRP issue


To be honest I am surprised the VPN is up as I have always applied the crypto map on the outbound interface not the inbound interface as you have. 


I suspect because from inside to outside the packet is first routed so the crypto map on the inside interface is never checked. 




Re: Site to Site VPN on Sub-interface using HSRP issue



I agree with putting the VPN on the outside.  In my case I don't know how it can be done with my topology and need for redundant VPN.  My two (Core1 and Core2) inside interfaces are redundant Via HSRP but my outsides are not (I do not want to buy a 10g Switch to make this possible) (maybe there is a way I don't know of)  So I am trying to engineer a way to have redundant VPN and with out my outside  being redundant I am trying to place it on my inside.


any suggestions or thoughts?



Hall of Fame Guru

Re: Site to Site VPN on Sub-interface using HSRP issue


Depends what you mean by redundant.


You could use HSRP tracking to switch between routers if a WAN link fails but obviously that would mean the VPN tunnel would need to be setup again. 


At the remote end you could configure multiple peer IPs ie. the WAN interface IPs. 


However not sure what would happen if you switched to the other router and then tried to bring up the tunnel again to the same remote peer as it already has a tunnel up as far as it is concerned.