01-16-2019 08:15 AM - edited 02-21-2020 09:32 PM
I have 2 separate routers & tunnels I was looking to combine, but I am not familiar enough whether these are combatible to put on a single router. One uses GRE and crypto-map applied to the outside interface, the other uses crypto-ipsec profile applied to the tunnel interface.
Are these two methods compatible on a single router? In my test it failed, but I did not look too much further as I had assumed that the problem was the 1st tunnel's crypto-map applied to the outside interface would intercept traffic to tunnel 2.
Is this worth trying to find a work around, or are these two distinctly incompatible? I had assumed both would look at the source & destination to determine which policy to apply, but my test was not successful.
Tunnel #1 | Tunnel #2 |
crypto isakmp policy 1 encr aes authentication pre-share group 2 ! crypto ipsec transform-set T1 esp-aes 256 esp-sha-hmac mode transport ! crypto isakmp key ****** address 6*.23.**.5 ! crypto map TUN0-MAP 10 ipsec-isakmp set peer 6*.23.**.5 set transform-set T1 match address 150 ! interface Tunnel0 ip address 1.1.1.2 255.255.255.252 tunnel source 10.5.1.55 tunnel destination 6*.23.**.5 ! interface FastEthernet4 ip address 10.5.1.55 255.255.255.0 crypto map TUN0-MAP ! access-list 150 permit gre host 10.5.1.55 host 6*.23.**.5 |
crypto isakmp policy 2 router bgp 2***1
|
01-16-2019 10:13 AM
01-16-2019 01:18 PM
Thanks RJI,
I took a second look and it turns out the vendor had provided a document with an example VTI config. But their example had not included the isakmp profile configuration which is what I was missing. I had instead included the old format isakmp + key + format . So I had tried to build the tunnel with only the example they provided, and of course it failed. I had only previous experience with crypto-maps, this was my first ipsec tunnel profile.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: