Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1752
Views
0
Helpful
5
Replies

IOS VPN Tunnel - Answer Only?

davemit
Level 1
Level 1

‎12-13-2011 07:58 AM

Hello!

We are moving from an ASA to IOS routers for our site to site VPN tunnels.  On the ASA we have several tunnels set up as "Answer-Only".   How do I configure this same setting on the IOS router?  It isn't jumping out at me as an option in the crypto map.

Thanks!

- Dave

Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-13-2011 10:58 AM

Dave,

This is after a long day in the office where I can barely see but I do believe the only option like this is in IPsec profile:

R1(config)#crypto ipsec profile PRO
R1(ipsec-profile)#?
Crypto Map configuration commands:
  default         Set a command to its defaults
  description     Description of the crypto map statement policy
  dialer          Dialer related commands
  exit            Exit from crypto map configuration mode
  no              Negate a command or set its defaults
  redundancy      Configure HA for this ipsec profile
  responder-only  Do not initiate SAs from this device

Marcin

0 Helpful

davemit
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-13-2011 12:36 PM

Thanks for the reply Marcin!

How do I apply a crypto ipsec profile to a static VPN?

I know you can configure VTI interfaces that use profiles, but my understanding is that both sides would have to use VTI interfaces, whereas we have a variety of customers using "tradition" IPSEC on a variety of devices.

- Dave

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to davemit

‎12-13-2011 02:29 PM

Dave,

You're right the functionality would affected only solutions based on tunnel protection (GRE over IPsec or VTI).

Which is basically what we enourage people to run (i.e. VTIs, DMVPN, Flex).

I'll do some checking tomorrow, but from the top of my head at 11:30 PM there's nothing.

Marcin

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Marcin Latosiewicz

‎12-13-2011 11:42 PM

Dave,

After a few hours of sleep, here's an idea.

To implement answer-only-like functionality, you can use a dynamic crypto map entry (no set peer entry) matching access-list for that traffic + setting transform set.

(If you run ezvpn on same box with crypto maps remember to add a very generic entry with high number in crypto map.

Essentially (not syntax checked)

crypto dynamic-map DYN 10 ipsec-isakmp
 set transform MYSET_FOR_L2L
 match TRAFFIC_FOR_L2L
crypto dynamic-map DYN 65000 ipsec-isakmp
 set transform SET_FOR_EZVPN

Would that work for you?

Marcin

0 Helpful

davemit
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-16-2011 09:07 AM

Thanks for thinking outside the box Marcin!  That may work, but I don't think I want to "cludge" up the config of our head end router with a dynamic crypto map just to implement this one feature.  I was hoping the feature was available in static crypto maps - like the ASA.

0 Helpful
Customers Also Viewed These Support Documents