Re: Help converting router based crypto map vpns to crypto profile vpns

kpruett · ‎04-30-2018

I currently have a need to set just one tunnel on a two tunnel router based vpn setup to be responder-only. I see where that command must be made to a profile, but I'm struggling on how to convert my older map based two tunnel setup to a profile based setup with just one tunnel in responder-only mode.

Current scrubbed config:

crypto isakmp policy 10
encr aes 192
authentication pre-share
group 2

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp key password12345 address 2.2.2.1
crypto isakmp key password54321 address 3.3.3.1

crypto ipsec transform-set tunnel-one-trans esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set tunnel-two-trans esp-aes 256 esp-sha-hmac
mode tunnel

crypto map VPNMAP 10 ipsec-isakmp
description to tunnel endpoint one
set peer 2.2.2.1
set transform-set tunnel-one-trans
set pfs group2
match address Tunnel-One-SA-List

crypto map VPNMAP 20 ipsec-isakmp
description to tunnel endpoint two
set peer 3.3.3.1
set transform-set tunnel-two-trans
set pfs group2
match address Tunnel-Two-SA-List

interface GigabitEthernet0/0/0.10
description my wan address
encapsulation dot1Q 10
ip address 4.4.4.1 255.255.255.254
ip nat outside
crypto map VPNMAP

ip nat pool INSIDE_USER_PAT 200.200.200.127 200.200.200.127 netmask 255.255.255.128
ip nat inside source static 10.0.0.1 200.200.200.2
ip nat inside source static 10.0.0.2 200.200.200.3
ip nat inside source list 1 pool INSIDE_USER_PAT overload
ip nat inside source list nat_nonat interface GigabitEthernet0/0/0.10 overload

ip access-list extended Tunnel-Two-SA-List
permit ip 200.200.200.0 0.0.0.127 10.100.0.0 0.0.0.255
ip access-list extended Tunnel-One-SA-List
permit ip 200.200.200.0 0.0.0.127 10.200.0.0 0.0.0.255
ip access-list extended nat_nonat
permit ip host 200.200.200.127 any

Josue Brenes · ‎05-01-2018

Hi Kpruett,

If you meant that you need to modify the tunnel to be route-based; plus, you need to be responder only, the configuration is pretty simple.

Static Virtual Tunnel Interface with IPsec: Example
https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

For the ISAKMP phase (phase1), you can use the same parameters already configured:
crypto isakmp policy 10
encr aes 192
authentication pre-share
group 2

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2

crypto isakmp key password12345 address 2.2.2.1
crypto isakmp key password54321 address 3.3.3.1

For the IPSEC phase(phase2) you need to get rid of the crypto map and configure a tunnel interface and an ipsec profile which is placed under the tunnel interface:

crypto ipsec profile ipsec_profile
set transform-set tunnel-one-trans
set pfs group2
responder-only

interface Tunnel0
ip address X.X.X.X X.X.X.X
tunnel source X.X.X.X (WAN IP)
tunnel destination 2.2.2.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile

Lastly, regarding the ACL you have on the crypto map(interesting traffic) for the routed-based VPN, it is based on routes which means that you need to either configure a routing protocol (ospf,eigrp) or configure static routes.

Rate if it helps.

Regards,
Josue Brenes
TAC - VPN Engineer.

kpruett · ‎05-02-2018

This helps a bit but I am not sure if I understand how to implement it. The remote side of these tunnels is across a vendor exchange, we're using NAT on these tunnels as well since the remote vendor we connect to requires no RFC 1918 addressing. Note interface GigabitEthernet0/0/0.10

So we have a lone IP on that interface used as the endpoint IP for two tunnels. For VTI, how does the incoming connection reach the tunnel interface? Must that be advertised outbound (i.e. Public?)

Since I have two tunnels, but only one needing responder-only, would that mean I need a separate tunnel interface to bind that VTI to? I'm assuming that means if I have to get rid of the crypto MAP, both tunnels would need to be converted to VTI.

And how do I handle NATing my traffic between the orgs once using VTI as the tunnel mode?