Rahul,

pokwan · ‎01-22-2017

Hi,

Can we have different crypto maps to different interfaces as per config below?

crypto ipsec transform-set SET1　esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000
crypto map map1 20 match address site1l2l
crypto map map1　20 set peer　x1.x1.x1.x1
crypto map map1　20 set transform-set　SET1
crypto map map1　interface outside

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800

tunnel-group x1.x1.x1.x1　type ipsec-l2l
tunnel-group x1.x1.x1.x1 ipsec-attributes
pre-shared-key *****

crypto ipsec transform-set SET2　esp-3des esp-md5-hmac

crypto map map2　30 match address site2l2l
crypto map map2　30 set peer　x2.x2.x2.x2
crypto map map2　30 set transform-set　SET2

crypto map map2　interface perim

crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group x2.x2.x2.x2　type ipsec-l2l
tunnel-group x2.x2.x2.x2 ipsec-attributes
pre-shared-key *****

Thanks.

PF

Rahul Govindan · ‎01-23-2017

Yes, this is definitely a supported config. This is commonly used for backup ISP VPN connection.

pokwan · ‎01-23-2017

Rahul,

Thank-you for confirming.

PF

bonesquall01 · ‎06-01-2022

Thanks for this information, it is really help me to understand the behavior using crypto map in different interfaces (outside) with policy-based ikev2 l2l vpn, when you are not using routed based vpn.

Crypto maps to different interfaces