Using Crypto Maps and IPsec Static VTI's on the same router

John Platts · ‎08-24-2010

Is it possible to configure both crypto maps and IPsec static VTI's on the same router? What platforms have this capability? What IOS version do I need?

uwkleinh · ‎08-24-2010

Yes you can and as far as I know I dont think there is a hardware dependency.

VTI mode 'tunnel mode ipsec ipv4' was added in 12.3(14)T.

If you are mixing tunnel protection and crypto map ensure you use iskmp profiles to differentiate somehow that the tunnel IPSec connection is not prcessed on the crypto map!

Here is a rough example (fine tune it as needed):

crypto keyring key1

pre-shared-key address 1.1.1.1 key test123

crypto keyring key2

pre-shared-key address 7.7.7.7 key test777

crypto isakmp profile vpn1

keyring key1

match identity address 1.1.1.1 255.255.255.255

crypto isakmp profile vpn2

keyring key2

match identity address 7.7.7.7 255.255.255.255

crypto ipsec transform-set test esp-des esp-sha-hmac

crypto IPsec profile vpn-tunnel

set transform-set test

set isakmp-profile vpn1

crypto map mymap 1 ipsec-isakmp

set transform-set test

set peer 7.7.7.7

set isakmp-profile vpn2

match address 177

interface Tunnel0

ip address 10.0.51.217 255.255.255.0

tunnel source 2.2.2.2

tunnel destination 1.1.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile vpn-tunnel

interface Ethernet4

ip add 2.2.2.2 255.255.255.0

crypto map mymap

Regards,
Uwe

Eugene Khabarov · ‎03-24-2015

Самое главное отличие будет в том, что на удаленных устройствах в этом случае б в самом crypto-acl будут лишь два адреса, зеркальные адресам, указанным как tunnel source и tunnel destination на 2921. По идее, больше никаких изменений.