Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2073
Views
0
Helpful
4
Replies

Dynamic and Static crypto map on one interface

Go to solution
filip00011
Level 1
Level 1

‎01-07-2016 08:45 PM

I need to apply dynamic and static crypto map to one interface. is it possible?

crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key hronov address 50.76.65.124
crypto isakmp key pardubice address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set DYN-TS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac
 mode transport
!
crypto dynamic-map DYN 10
 set transform-set DYN-TS
!
!
!
crypto map IPSEC 10 ipsec-isakmp dynamic DYN
!
crypto map GRE_AND_IPSEC 11 ipsec-isakmp
 set peer 50.76.65.124
 set transform-set ESP_3DES_MD5
 match address GRE

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-07-2016 09:29 PM

Yes.  Slightly changed.

Make the site to site key so it can not be used for xauth (aka client authentication).

crypto isakmp key hronov address 50.76.65.124 no-xauth

Make the specific site to site crypto map come first (priority 10 in this case).

crypto map IPSEC 10 ipsec-isakmp
 set peer 50.76.65.124
 set transform-set ESP_3DES_MD5
 match address GRE

Make the dynamic map low priority (60000) in this case.

crypto map IPSEC 60000 ipsec-isakmp dynamic DYN

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-07-2016 09:29 PM

Yes.  Slightly changed.

Make the site to site key so it can not be used for xauth (aka client authentication).

crypto isakmp key hronov address 50.76.65.124 no-xauth

Make the specific site to site crypto map come first (priority 10 in this case).

crypto map IPSEC 10 ipsec-isakmp
 set peer 50.76.65.124
 set transform-set ESP_3DES_MD5
 match address GRE

Make the dynamic map low priority (60000) in this case.

crypto map IPSEC 60000 ipsec-isakmp dynamic DYN
0 Helpful

Go to solution
filip00011
Level 1
Level 1
In response to Philip D'Ath

‎01-07-2016 09:53 PM

thank you so much. it's working

can you please explain me what does no-xauth do?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to filip00011

‎01-07-2016 10:06 PM

If you enabled a dynamic crypto map, and a connection comes in, the router challenges it asking for a username/password. Site to site VPN connections have no such concept. no-xauth says don't challenge for a username/password for this specific IP address and key.

0 Helpful

Go to solution
filip00011
Level 1
Level 1
In response to Philip D'Ath

‎01-07-2016 10:16 PM

thanks

0 Helpful
Top