OK, so now I have two crypto maps configured (ex. mymap_1 and mymap_2), but when I attach the crypto map to the Interface:

ex:

int fastethernet 0/1

crytpo map mymap

it only allows to have one crypto map configured

Now, how can I attach a new crypto map to the interface ?

Do you know what I mean ?

Thanks

I think my reply was not clear enough...

You can apply ONLY ONE crypto map to an interface. But you can terminate more than one tunnel to an interface using that single crypto map (I believe this is what you want to achieve).

In your case instead of creating a second crypto map (mymap_2), add the config for the second tunnel also to mymap_1

Eg:

crypto map mymap_1 10 ipsec-isakmp

(Your first tunnel parameters go here)

crypto map mymap_1 20 ipsec-isakmp

(Your second tunnel parameters go here)

HTH

Regards,

Shijo George.

It might help clarify the situation to point out that while an interface can have only a single crypto map, that each crypto map can have multiple instances within the map. Each instance within the crypto map is identified by a unique sequence number and each instance can define a unique set of processing prarmeters for IPSec (you can specify different peers, different transforms, different lifetimes,different access lists, or whatever you might need). So you can have 2 sets of requirements by having 2 sequence numbers (10 and 20):

crypto map mymap_1 10 ipsec-isakmp

[whatever parameters are needed for the first requirement]

crypto map mymap_1 20 ipsec-isakmp

[whatever parameters are needed for the second requirement]

HTH

Rick

Hi:

I am trying to lab up a Dynamic crypto scenario but it is not working.

I have Router 1 connected to Router 2 via Router 3 - Router 3 is "acting" like a SP for Routers 1 and 2.

What I want to do is to enable other routers Routers 4, 5 etc to establish IPSec sessions to Router 1 which would act like a "hub" router.

Thus a dynamic crypto map on router R1 should do the trick.

This is only to test if remote routers establish IPSec sessions to one single "hub" router.

Config for R1:

crypto isakmp policy 100
encr aes 256
authentication pre-share
crypto isakmp key CISCO address 172.16.23.2
!
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto dynamic-map DYNMAP 100
set transform-set AES256
match address ACL
!
!
crypto map MYMAP 100 ipsec-isakmp dynamic DYNMAP
!

ip access-list extended ACL
permit udp host 172.1.1.1 any

!

interface Serial1/1
description "to R3 s1/2"
ip address 172.16.13.1 255.255.255.0
serial restart-delay 0
crypto map MYMAP

!

**************************************************************

Config for R2:

crypto isakmp policy 100
encr aes 256
authentication pre-share
crypto isakmp key CISCO address 172.16.13.1
!
!
crypto ipsec transform-set AES256 esp-aes 256 esp-sha-hmac
!
crypto map MYMAP local-address Serial1/1
crypto map MYMAP 100 ipsec-isakmp
set peer 172.16.13.1
set transform-set AES256
match address ACL

!

ip access-list extended ACL
permit udp host 172.2.2.2 host 172.1.1.1

!

interface Serial1/1
description "to R3 s1/1"
ip address 172.16.23.2 255.255.255.0
serial restart-delay 0
crypto map MYMAP

!

**************************************************************

Thx.

-Roger