cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
636
Views
0
Helpful
2
Replies

Help converting router based crypto map vpns to crypto profile vpns

kpruett
Level 1
Level 1

I currently have a need to set just one tunnel on a two tunnel router based vpn setup to be responder-only. I see where that command must be made to a profile, but I'm struggling on how to convert my older map based two tunnel setup to a profile based setup with just one tunnel in responder-only mode.

 

Current scrubbed config:

 

crypto isakmp policy 10
encr aes 192
authentication pre-share
group 2

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp key password12345 address 2.2.2.1
crypto isakmp key password54321 address 3.3.3.1

 

crypto ipsec transform-set tunnel-one-trans esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set tunnel-two-trans esp-aes 256 esp-sha-hmac
mode tunnel

 

crypto map VPNMAP 10 ipsec-isakmp
description to tunnel endpoint one
set peer 2.2.2.1
set transform-set tunnel-one-trans
set pfs group2
match address Tunnel-One-SA-List

 

crypto map VPNMAP 20 ipsec-isakmp
description to tunnel endpoint two
set peer 3.3.3.1
set transform-set tunnel-two-trans
set pfs group2
match address Tunnel-Two-SA-List

 

interface GigabitEthernet0/0/0.10
description my wan address
encapsulation dot1Q 10
ip address 4.4.4.1 255.255.255.254
ip nat outside
crypto map VPNMAP

 

ip nat pool INSIDE_USER_PAT 200.200.200.127 200.200.200.127 netmask 255.255.255.128
ip nat inside source static 10.0.0.1 200.200.200.2
ip nat inside source static 10.0.0.2 200.200.200.3
ip nat inside source list 1 pool INSIDE_USER_PAT overload
ip nat inside source list nat_nonat interface GigabitEthernet0/0/0.10 overload

 

ip access-list extended Tunnel-Two-SA-List
permit ip 200.200.200.0 0.0.0.127 10.100.0.0 0.0.0.255
ip access-list extended Tunnel-One-SA-List
permit ip 200.200.200.0 0.0.0.127 10.200.0.0 0.0.0.255
ip access-list extended nat_nonat
permit ip host 200.200.200.127 any

2 Replies 2

Josue Brenes
Cisco Employee
Cisco Employee

Hi Kpruett,

 

If you meant that you need to modify the tunnel to be route-based; plus, you need to be responder only, the configuration is pretty simple.

Static Virtual Tunnel Interface with IPsec: Example
https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

For the ISAKMP phase (phase1), you can use the same parameters already configured:
crypto isakmp policy 10
encr aes 192
authentication pre-share
group 2

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2

crypto isakmp key password12345 address 2.2.2.1
crypto isakmp key password54321 address 3.3.3.1

For the IPSEC phase(phase2) you need to get rid of the crypto map and configure a tunnel interface and an ipsec profile which is placed under the tunnel interface:

crypto ipsec profile ipsec_profile
set transform-set tunnel-one-trans
set pfs group2
responder-only

interface Tunnel0
 ip address X.X.X.X X.X.X.X
 tunnel source X.X.X.X (WAN IP)
 tunnel destination 2.2.2.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec_profile

Lastly, regarding the ACL you have on the crypto map(interesting traffic) for the routed-based VPN, it is based on routes which