cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1184
Views
0
Helpful
2
Replies

Crypto-map & ipsec profile compatibility on single router

TRENT WAITE
Level 1
Level 1

I have 2 separate routers & tunnels I was looking to combine, but I am not familiar enough whether these are combatible to put on a single router.  One uses GRE and crypto-map applied to the outside interface, the other uses crypto-ipsec profile applied to the tunnel interface. 

 

Are these two methods compatible on a single router? In my test it failed, but I did not look too much further as I had assumed that the problem was the 1st tunnel's crypto-map applied to the outside interface would intercept traffic to tunnel 2.

 

Is this worth trying to find a work around, or are these two distinctly incompatible? I had assumed both would look at the source & destination to determine which policy to apply, but my test was not successful. 

 

Tunnel #1 Tunnel #2
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto ipsec transform-set T1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto isakmp key ****** address 6*.23.**.5
!
crypto map TUN0-MAP 10 ipsec-isakmp
set peer 6*.23.**.5
set transform-set T1
match address 150
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.252
tunnel source 10.5.1.55
tunnel destination 6*.23.**.5
!
interface FastEthernet4
ip address 10.5.1.55 255.255.255.0
crypto map TUN0-MAP
!
access-list 150 permit gre host 10.5.1.55 host 6*.23.**.5

crypto isakmp policy 2
encrypt aes 256
authentication pre-share
group 2
!
crypto isakmp key ****** address 2*.16.*.5
!
crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set ESP-AES-256-SHA
set pfs group2
!
interface tunnel 1
ip address 2.2.2.1 255.255.255.254
tunnel mode ipsec ipv4
tunnel destination 2*.16.*.5
tunnel protection ipsec profile VTI

router bgp 2***1
neighbor 2.2.2.3 remote-as 6502
neighbor 2.2.2.3 default-originate

 

 

 

 

 

2 Replies 2

I don't see any reason why it should not work. Only traffic matching the ACL used for the crypto map should initiate that tunnel, which the VTI would not. Can you provide the output of some debugs "debug crypto isakmp".

If you are reconfiguring devices, why not migrate the crypto map to another VTI, thus simplifying and standardising the configuration.

Thanks RJI,

 

I took a second look and it turns out the vendor had provided a document with an example VTI config. But their example had not included the isakmp profile configuration which is what I was missing. I had instead included the old format isakmp + key + format . So I had tried to build the tunnel with only the example they provided, and of course it failed. I had only previous experience with crypto-maps, this was my first ipsec tunnel profile. 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: