08-30-2005 03:39 AM
I'm trying to configure a new VPN connection in a cisco 7140 - 12.3(9a).
There is already configured a VPN for remote users and in the LAN interface there exist the command: crypto map xxxx
I've configured a new crypto map, but it's not possible to have both crypto map in the interface configuration.
How can I do to have several VPN configurations, sharing same fastethernet interface ?
Thanks.
08-30-2005 04:11 AM
The same crypto map can be used for multiple tunnels.
Suppose your existing crypto map is
crypto map xxx 10 ipsec-isakmp dynamic mymap
Use
crypto map xxx 20 ipsec-isakmp
set ---
match ---
for the next tunnel.
HTH
Regards,
Shijo George.
08-30-2005 04:34 AM
OK, so now I have two crypto maps configured (ex. mymap_1 and mymap_2), but when I attach the crypto map to the Interface:
ex:
int fastethernet 0/1
crytpo map mymap
it only allows to have one crypto map configured
Now, how can I attach a new crypto map to the interface ?
Do you know what I mean ?
Thanks
08-30-2005 04:52 AM
I think my reply was not clear enough...
You can apply ONLY ONE crypto map to an interface. But you can terminate more than one tunnel to an interface using that single crypto map (I believe this is what you want to achieve).
In your case instead of creating a second crypto map (mymap_2), add the config for the second tunnel also to mymap_1
Eg:
crypto map mymap_1 10 ipsec-isakmp
(Your first tunnel parameters go here)
crypto map mymap_1 20 ipsec-isakmp
(Your second tunnel parameters go here)
HTH
Regards,
Shijo George.
08-30-2005 10:48 AM
It might help clarify the situation to point out that while an interface can have only a single crypto map, that each crypto map can have multiple instances within the map. Each instance within the crypto map is identified by a unique sequence number and each instance can define a unique set of processing prarmeters for IPSec (you can specify different peers, different transforms, different lifetimes,different access lists, or whatever you might need). So you can have 2 sets of requirements by having 2 sequence numbers (10 and 20):
crypto map mymap_1 10 ipsec-isakmp
[whatever parameters are needed for the first requirement]
crypto map mymap_1 20 ipsec-isakmp
[whatever parameters are needed for the second requirement]
HTH
Rick
01-11-2011 09:14 AM
Hi:
I am trying to lab up a Dynamic crypto scenario but it is not working.
I have Router 1 connected to Router 2 via Router 3 - Router 3 is "acting" like a SP for Routers 1 and 2.
What I want to do is to enable other routers Routers 4, 5 etc to establish IPSec sessions to Router 1 which would act like a "hub" router.
Thus a dynamic crypto map on router R1 should do the trick.
This is only to test if remote routers establish IPSec sessions to one single "hub" router.
Config for R1:
crypto isakmp policy 100
encr aes 256
authentication pre-share
crypto isakmp key CISCO address 172.16.23.2
!
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNMAP 100
set transform-set AES256
match address ACL
!
!
crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP
!
ip access-list extended ACL
permit udp host 172.1.1.1 any
!
interface Serial1/1
description "to R3 s1/2"
ip address 172.16.13.1 255.255.255.0
serial restart-delay 0
crypto map MYMAP
!
**************************************************************
Config for R2:
crypto isakmp policy 100
encr aes 256
authentication pre-share
crypto isakmp key CISCO address 172.16.13.1
!
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto map MYMAP local-address Serial1/1
crypto map MYMAP 100 ipsec-isakmp
set peer 172.16.13.1
set transform-set AES256
match address ACL
!
ip access-list extended ACL
permit udp host 172.2.2.2 host 172.1.1.1
!
interface Serial1/1
description "to R3 s1/1"
ip address 172.16.23.2 255.255.255.0
serial restart-delay 0
crypto map MYMAP
!
**************************************************************
Thx.
-Roger
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide