01-17-2012 11:01 AM
Hi All,
I have a setup with 2x ISR 2811s in the central site acting as static crypto map VPN peers and I have a single site with VPN Concentrator 3000.
The thing is that I cannot setup backup peer on VPN Concentrator unless I set it to originate-only.
Originate-only is fine, works for me, but answer-only is not available on 2811s for static crypto-map configurations. Cisco says this is irrelevant for static crypto-maps and applicable for the VTI only. So I ended up configuring VPN Concentrator as originate-only with two peers, the tunnel is up now, but I am just curios if there could be any potential issue with rekeying or someting else because ISR 2811s cannot maintain answer-only. Again if VPN Concentrator side is the intiator-only in terms of crypto-interesting traffic - this is ok for me.
01-17-2012 02:23 PM
We had similar discussion some time ago with another person on forum.
If you want equivalent of answer-only on IOS with crypto maps, you should use dynamic crypto map entry with match ACL specified.
The reponsder only functionality is relevant only for tunnel protection setups only.
01-17-2012 03:33 PM
I have two routers in the setup. the tunnel is ok now when vpn concentrator is set to originate-only.
My question is if it will be working normally in case if one side is set to originate-only and the other one is bidirectional assuming that in any scenario only one side would initiate traffic.
01-18-2012 03:55 AM
Provided that only one router will talk IPsec at a time, you should be fine.
Just make sure your vpn concentrator has a decent version software version :-)
01-23-2012 06:45 AM
Nope. Not working when one side (VPN Concentrator) is set to originate-only and the opposite side is bi-directional (IOS).
This is really awkward that IOS cannot do answer-only in static crypto map.
Can I post somehow feature request, I beleive not only me needs this feature on the IOS...
01-23-2012 07:18 AM
Well we typically use dynamic crypto maps when they are supposed to be answer only ;-)
Another things is that we're trying to move people towards using tunnel protection instead of crypto maps.
That being, yes you can, the best way is to get your account team involved they can file PER (Product Enhancement Request) for you and raise a business case.
TAC can also file enhancements but without a business case coming from account team they are very low on priority list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide