01-22-2017 08:42 PM
Hi,
Can we have different crypto maps to different interfaces as per config below?
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map map1 20 match address site1l2l
crypto map map1 20 set peer x1.x1.x1.x1
crypto map map1 20 set transform-set SET1
crypto map map1 interface outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
tunnel-group x1.x1.x1.x1 type ipsec-l2l
tunnel-group x1.x1.x1.x1 ipsec-attributes
pre-shared-key *****
crypto ipsec transform-set SET2 esp-3des esp-md5-hmac
crypto map map2 30 match address site2l2l
crypto map map2 30 set peer x2.x2.x2.x2
crypto map map2 30 set transform-set SET2
crypto map map2 interface perim
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group x2.x2.x2.x2 type ipsec-l2l
tunnel-group x2.x2.x2.x2 ipsec-attributes
pre-shared-key *****
Thanks.
PF
01-23-2017 04:36 AM
Yes, this is definitely a supported config. This is commonly used for backup ISP VPN connection.
01-23-2017 09:54 PM
Rahul,
Thank-you for confirming.
PF
06-01-2022 09:32 PM
Thanks for this information, it is really help me to understand the behavior using crypto map in different interfaces (outside) with policy-based ikev2 l2l vpn, when you are not using routed based vpn.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide