Re: Crypto map and VTI on same interface with 0.0.0.0 for IP peer addr

aacole · ‎03-14-2023

I have a router using 15.1(4)M12a, currenrtly using VTI with a pre-shared key peer address of 0.0.0.0

I want to add a remote access IPSec VPN connection to this, with a different pre-shared key but again with 0.0.0.0 as peer address.

I found this post, Using Crypto Maps and IPsec Static VTI's on the same router - Cisco Community which shows this is possible but in this example the peer addresses are specified.

My question is, will the different pre-shared key be sufficient to distinguish between VTI and remote access clients?

The router only has one Internet facing interface. I want to use the Windows 10 IPSec pre-shared client for remote access.

M02@rt37 · ‎03-16-2023

Helo @aacole

Using a different pre-shared key for the remote access IPSec VPN connection should be sufficient to distinguish it from the VTI connection that is also using a pre-shared key with a peer address of 0.0.0.0. As long as the remote access VPN client is configured to use the correct pre-shared key, the router should be able to differentiate between the two connections.

However, it's recommended to use a different peer address for the remote access VPN connection if possible, rather than relying solely on the pre-shared key to differentiate between the two connections. This can help to avoid potential conflicts or confusion in the future (as I concerned). If you can assign a specific IP address to the remote access VPN client and use that as the peer address, that would be ideal.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Crypto map and VTI on same interface with 0.0.0.0 for IP peer address