Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5458
Views
0
Helpful
8
Replies

crypto map local address command

sachinmhatre011
Level 1
Level 1

‎06-19-2017 12:20 PM

Why do w e use " crypto map local address command"

4 people had this problem
Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎06-19-2017 01:58 PM

Most of the times you don't need that command. But there are some deployments where you can use it. For example you are connected to two ISPs with Provider Independent (PI) addresses. You can terminate the VPN on a loopback that is reachable through both ISPs. While the crypto map is still applied to the physical (outside) interfaces, the router has to know that the loopback is the "logical" termination-point. Here you need to configure that command.

0 Helpful

sachinmhatre011
Level 1
Level 1
In response to Karsten Iwen

‎06-19-2017 04:25 PM

Thanks Karsten..!! :)

0 Helpful

sachinmhatre011
Level 1
Level 1
In response to sachinmhatre011

‎06-21-2017 04:30 PM

Hello Karsten,

What is the difference between GRE over IPsec & IPsec over GRE...??

0 Helpful

Karsten Iwen
VIP
VIP
In response to sachinmhatre011

‎06-25-2017 12:01 PM

In most situations I would assume that both refer to the same and only the wrong term is used. But what is it:

GRE over IPsec first encapsulates the packet in GRE and the resulting packet is protected with IPsec. This is very common for the flexibility of GRE (like Multicast and multiple protocol support).

You could also first protect the data with IPsec and then encapsulate that in GRE. But that is quite uncommon.

0 Helpful

sachinmhatre011
Level 1
Level 1
In response to Karsten Iwen

‎06-19-2017 04:30 PM

Hello Karsten,

Can I have one more clear example to explain it more clearly.

Thanks in advance..!!!

0 Helpful

Karsten Iwen
VIP
VIP
In response to sachinmhatre011

‎06-20-2017 01:02 AM

That is the only use-case I'm aware of at the moment. Perhaps someone else has some more?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Karsten Iwen

‎06-25-2017 01:07 PM

I found a link that identifies another use case for local address

If Internet Key Exchange is enabled and you are using a certification authority (CA) to obtain certificates, this should be the interface with the address specified in the CA certificates.

Here is the link if you want additional details

http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfipsec.html

It is a bit old but its information is still valid.

HTH

Rick

HTH

Rick
0 Helpful

bnv1
Level 1
Level 1
In response to Karsten Iwen

‎10-24-2018 09:29 AM

What if you have multiple loopback interfaces that need to be logical termination points. Would this require multiple crypto-maps? 

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents