cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2421
Views
0
Helpful
8
Replies

crypto map local address command

Why do w e use " crypto map local address command"

8 REPLIES 8
VIP Mentor

Most of the times you don't

Most of the times you don't need that command. But there are some deployments where you can use it. For example you are connected to two ISPs with Provider Independent (PI) addresses. You can terminate the VPN on a loopback that is reachable through both ISPs. While the crypto map is still applied to the physical (outside) interfaces, the router has to know that the loopback is the "logical" termination-point. Here you need to configure that command.

Thanks Karsten..!! :)

Thanks Karsten..!! :)

Hello Karsten,

Hello Karsten,

What is the difference between GRE over IPsec & IPsec over GRE...??

VIP Mentor

In most situations I would

In most situations I would assume that both refer to the same and only the wrong term is used. But what is it:

GRE over IPsec first encapsulates the packet in GRE and the resulting packet is protected with IPsec. This is very common for the flexibility of GRE (like Multicast and multiple protocol support).

You could also first protect the data with IPsec and then encapsulate that in GRE. But that is quite uncommon.

Hello Karsten,

Hello Karsten,

Can I have one more clear example to explain it more clearly.

Thanks in advance..!!!

VIP Mentor

That is the only use-case I'm

That is the only use-case I'm aware of at the moment. Perhaps someone else has some more?

Highlighted
Hall of Fame Master

I found a link that

I found a link that identifies another use case for local address

If Internet Key Exchange is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.

Here is the link if you want additional details

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html

It is a bit old but its information is still valid.

HTH

Rick

Beginner

Re: Most of the times you don't

What if you have multiple loopback interfaces that need to be logical termination points. Would this require multiple crypto-maps? 

 

Thanks