Showing results for 
Search instead for 
Did you mean: 

Static Crypto configuration

Level 1
Level 1

Hi All,

I ahve a requirement to configure static crypto for 1800 site and I need to configure on two sepaarte interfacs at spoke site which means I need to configure 1800*2 = 3600 peers at central site. The challenge I have is due to load balancing , the traffic dynamic crypto can not be used since traffic may be initiated from Dc on other link which may get dropped incase not encrypted.

Looking form some simplar way to configure this.

Experts need your help.



5 Replies 5


Could you please be more specific on what you mean by "load-balancing"?

Which devices are you planning to use for this deployment?



Sent from Cisco Technical Support Android App

Thanks Javier for the response. Please find the clarification.

Load Balancing mean, I have 2 Service Provider(SP) at each site on which I am building the IPSec, Load distribution between 2 links is taken care by routing protocol. For each SP I am configuring a separate Crypto map with redundancy at central site.

At central site I have 2 nos of Cisco 7206 with VAM2.




Have you considered VTI or DMVPN instead? so you do not depend on a specific crypto map and static routing?

Configuring a Virtual Tunnel Interface with IP Security

Dynamic Multipoint VPN (DMVPN)

With this, you can have your Routing Protocol make the routing desicion / load-balancing across the tunnel interfaces, both tunnels will be active, and even passing traffic simultaneously.

Please let me know.

Hi Javier,

I am sorry as I forgot to mention that I am using selective encryption here. Only business critical traffic is being encrypted. Hence I used BGP for routing and Specific IP based encryption.



I see, is this crypto map solution already implemented?  I cannot determine which network design would be the best for you, since I am not familiar with all your internal policies and requirements, but I can suggest.

Usually, I encourage people to use VTI or DMVPN since they are more scalable and easier to maintain than LAN-to-LAN tunnels with huge ACLs.

My idea is this:

         Tunnel1                Tunnel1

       |-------------|              |-----------|

Hub |                Internet             | Spoke

       |-------------|              |-----------|

        Tunnel2                 Tunnel2

An IGP running across the tunnel interfaces (VTI) will make the routing decision for you, according to how you tune it up.

For instance:

You could use EIGRP to load-balance (equal cost at this point since you only have two links) the traffic:

EIGRP load-balancing

So the Router will keep both IPsec tunnels up and traffic will flow across the Tunnel interfaces following the EIGRP routing conditions.


On the other hand, if you want to go with the crypto map condition, I would still suggest GRE/IPsec and do the same thing, but lets say that GRE will not be used.

Without any kind of Routing protocol, load-balancing will not be achieved at all, you can still have two routes pointing to two next-hops to reach the same destination network, but this is not recommended and may not behave as expected.



In order to load balance traffic across two tunnels, I suggest:


2- VTI

3- GRE/IPsec

In conjuction with an IGP.