cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1790
Views
5
Helpful
7
Replies

Crypto Map with Tunnel IPSec

WerllenSilva
Level 1
Level 1

Hello Everyone !!

I have a question about what normally happens in these 2 cases.

I have a router that uses a Crypto Map on the physical interface and a tunnel configured without encryption.

On another router, I don't have a Crypto Map on the interface, but I have an Ipsec directly on the tunnel.

My question is: how is it working? I'm trying to perform the same configuration for a new implementation and the tunnel doesn't stay UP, I managed to close phase 1 but phase 2 couldn't.

I compared the router that was already configured and I don't see any ACL configuration.

3 Accepted Solutions

Accepted Solutions

M02@rt37
VIP
VIP

Hello @WerllenSilva 

It's common to use a Crypto Map on the physical interface to define the IPsec parameters for multiple VPN tunnels. A Crypto Map typically includes entries for interesting traffic, transform sets, and reference to the remote peer.

In some scenarios, IPsec settings can be applied directly on the tunnel interface without using a Crypto Map on the physical interface. This approach is often used when you have a single VPN tunnel and prefer to configure IPsec parameters directly on the tunnel interface.

Chosse one way and apply it on both ends first. When establishing a VPN tunnel using IPsec, it's crucial that both ends have compatible and mirrored configurations for the VPN parameters. If one side is configured with IPsec directly on the tunnel interface, while the other side uses a Crypto Map on the physical interface, this asymmetry can cause issues in the negotiation process.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

I'm going this way because I can't configure the Crypto Map on the router because other tunnels will be affected.

This maybe answer for you Q' 

You used interface as tunnel source and you need crypto map for this interface?

Go ahead friend there is no conflict at all

Crypto map acl permit local and remote lan 

Tunnel there is no acl the traffic is direct via tunnel.

The only case is you make remote LAN route via tunnel and permit in acl of crypto map that issue but I dont think this your case.

MHM

View solution in original post

@WerllenSilva you cannot arbitrarily configure differently types of VPN on the peer devices and expect them to work, as they behave differently. Can you provide the configuration so we can confirm whether it should work and determine what the issue is.

You can enable a crypto map without affecting the other Tunnel interfaces, so long as the ACL defining interesting traffic does not overlap (which it should not), this is not recommended by Cisco though.

View solution in original post

7 Replies 7

Tunnel one way but IPSec is peer to peer 

Having one side ipsec under tunnel and other side crypto map under real interface not work I think.

Why you try this way ?

@WerllenSilva there are multiple types of VPNs you can configure. In your first example, this sounds like "GRE over IPSec", the second example could be "GRE over IPSec with Tunnel Protection" or a VTI, or less common a "Multi-SA Virtual Tunnel Interface". You'd be better providing your configurations and more information so we can determine what exactly is configured and why it's not working.

 

 

M02@rt37
VIP
VIP

Hello @WerllenSilva 

It's common to use a Crypto Map on the physical interface to define the IPsec parameters for multiple VPN tunnels. A Crypto Map typically includes entries for interesting traffic, transform sets, and reference to the remote peer.

In some scenarios, IPsec settings can be applied directly on the tunnel interface without using a Crypto Map on the physical interface. This approach is often used when you have a single VPN tunnel and prefer to configure IPsec parameters directly on the tunnel interface.

Chosse one way and apply it on both ends first. When establishing a VPN tunnel using IPsec, it's crucial that both ends have compatible and mirrored configurations for the VPN parameters. If one side is configured with IPsec directly on the tunnel interface, while the other side uses a Crypto Map on the physical interface, this asymmetry can cause issues in the negotiation process.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

WerllenSilva
Level 1
Level 1

Hello Guys,

Thank you for the help.

I'm going this way because I can't configure the Crypto Map on the router because other tunnels will be affected.

But following the configuration already made in the tunnels that are working, this is very strange.

In my laboratory I can close phase 1 and the tunnel is up/up on the side that is using the Crypto Map.

Tunnel3004 1.1.1.2 YES NVRAM up up

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
20.0.0.1 10.0.0.1 QM_IDLE 1001 0 ACTIVE

But on the side that uses a VPN tunnel using IPSEC, it is up/down.

I think that the traffic is not made match with ACL, so i configure a any any on Crypto Map side and dont working.

When I use the Crypto Map on both sides, the tunnel works fine. Same when I configured IPSEC VPN.


I'm going this way because I can't configure the Crypto Map on the router because other tunnels will be affected.

This maybe answer for you Q' 

You used interface as tunnel source and you need crypto map for this interface?

Go ahead friend there is no conflict at all

Crypto map acl permit local and remote lan 

Tunnel there is no acl the traffic is direct via tunnel.

The only case is you make remote LAN route via tunnel and permit in acl of crypto map that issue but I dont think this your case.

MHM

@WerllenSilva you cannot arbitrarily configure differently types of VPN on the peer devices and expect them to work, as they behave differently. Can you provide the configuration so we can confirm whether it should work and determine what the issue is.

You can enable a crypto map without affecting the other Tunnel interfaces, so long as the ACL defining interesting traffic does not overlap (which it should not), this is not recommended by Cisco though.

WerllenSilva
Level 1
Level 1

Hello,

I really appreciate the help, I will use the Multi-SA Virtual Tunnel Interface, the configuration applied worked as expected, thank you everyone.