Solved: understanding crypto map sequence numbers

Waterbird · ‎12-04-2018

What are crypto map sequence numbers for? What is their purpose and reason for being?

Rob Ingram · ‎12-05-2018

You can only have 1 crypto map assigned to an interface. The sequence numbers define the different peers and peer specific attributes with which to establish a VPN with. Therefore you 2nd and 3rd examples are not possible.

HTH

View solution in original post

mkazam001 · ‎12-04-2018

allows you to create multiple vpn tunnels from your asa, see example below:

sequence number 5 is for site a & sequence number 10 is for site b

crypto map vpnmap 5 match address outside_cryptomap_2
crypto map vpnmap 5 set peer IP-ADD-1
crypto map vpnmap 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map vpnmap 5 set security-association lifetime seconds 3600
crypto map vpnmap 5 set security-association lifetime kilobytes 102400000
crypto map vpnmap 10 match address outside_cryptomap_7
crypto map vpnmap 10 set peer IP-ADD-2
crypto map vpnmap 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map vpnmap 10 set security-association lifetime kilobytes unlimited
crypto map vpnmap 15 match address outside_cryptomap_12

please accept as solution if it was so :)

regards, mk

Rahul Govindan · ‎12-04-2018

Crypto map sequence numbers just have a local significance to the VPN headend. Helps you order the VPN connection entries as per your requirements. Crypto map entries are sequential, so if you have a smaller and more specific crypto proxy, you can technically place it above a broader one in order for both to work:

Crypto map seq 1

Local proxy: 10.0.0.0/24

Remote proxy:192.168.1.0/24

Crypto map seq 2

Local proxy: 10.0.0.0/24

Remote proxy:192.168.0.0/16

In this case, everything going to 192.168.1.0/24 goes through peer 1 while everything in 192.168.0.0/16 except 192.168.1.0/24 goes to peer 2. If the order was reversed, only peer 2 would work.

Waterbird · ‎12-05-2018

I need more clarity on how the sequence numbers work.

For example, if you have 2 crypto maps on a device that have the same crypto map name, but different sequence numbers, how would that work, say versus 2 crypto maps on the device with different crypto map names, but different sequence numbers, or as a third case, 2 crypto map names on a device with different crypto map names and the same sequence numbers.

Rob Ingram · ‎12-05-2018

You can only have 1 crypto map assigned to an interface. The sequence numbers define the different peers and peer specific attributes with which to establish a VPN with. Therefore you 2nd and 3rd examples are not possible.

HTH

mkazam001 · ‎12-05-2018

you can have only 1 crypto map applied to 1 interface - so in my previous config - the single crypto map is called vpnmap - now i can use different sequence numbers to configure multiple vpn tunnels - where each sequence number corresponds to config for a specific vpn endpoint

if i had another outside interface - i could also use that for s2s vpns but now i would have to give that crypto map a different name - eg. vpnmap2 - then as before, use sequence numbers to configure different vpns

hope that helps

regards, mk

mkazam001 · ‎12-04-2018

just for completeness, add to outside interface:

crypto map vpnmap interface outside

regards, mk