cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5459
Views
0
Helpful
8
Replies

crypto map local address command

sachinmhatre011
Level 1
Level 1

Why do w e use " crypto map local address command"

8 Replies 8

Most of the times you don't need that command. But there are some deployments where you can use it. For example you are connected to two ISPs with Provider Independent (PI) addresses. You can terminate the VPN on a loopback that is reachable through both ISPs. While the crypto map is still applied to the physical (outside) interfaces, the router has to know that the loopback is the "logical" termination-point. Here you need to configure that command.

Thanks Karsten..!! :)

Hello Karsten,

What is the difference between GRE over IPsec & IPsec over GRE...??

In most situations I would assume that both refer to the same and only the wrong term is used. But what is it:

GRE over IPsec first encapsulates the packet in GRE and the resulting packet is protected with IPsec. This is very common for the flexibility of GRE (like Multicast and multiple protocol support).

You could also first protect the data with IPsec and then encapsulate that in GRE. But that is quite uncommon.

Hello Karsten,

Can I have one more clear example to explain it more clearly.

Thanks in advance..!!!

That is the only use-case I'm aware of at the moment. Perhaps someone else has some more?

I found a link that identifies another use case for local address

If Internet Key Exchange is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.

Here is the link if you want additional details

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html

It is a bit old but its information is still valid.

HTH

Rick

HTH

Rick

What if you have multiple loopback interfaces that need to be logical termination points. Would this require multiple crypto-maps? 

 

Thanks