Basic question - Which interfaces to put the crypto map statement on

Unanswered Question
Jul 26th, 2007

Here is my scenario:

Site to Site VPN, Cisco 1811 Router to hub site through DSL at the remote (1811) site. Only one VPN from remote site.

When I setup the 1811 Router, which interfaces should I put the crypto map statement onto?

I have the following potential choices:

Ethernet0 (Outside Interface, points to DSL modem which is in bridge mode)

Dialer1 (PPOE in use, obtains live Internet address)

Tunnel100 (connects to the 7204VXR)

Should the crypto map statement go on 1, 2, or all three of them?

Here is part of the config:

vpdn-group dsl


protocol pppoe


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 5

lifetime 7200

crypto isakmp key somekey x.x.x.x


crypto ipsec transform-set secure esp-3des esp-md5-hmac

mode transport


crypto map vpn 100 ipsec-isakmp

set peer x.x.x.x

set transform-set secure

match address 101


interface Tunnel100

ip address x.x.x.x x.x.x.x

ip tcp adjust-mss 1436

tunnel source Dialer1

tunnel destination x.x.x.x

crypto map vpn


interface Ethernet0

description ** Outside facing interface **

no ip address

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex half

pppoe enable

pppoe-client dial-pool-number 1

arp timeout 300

no cdp enable

crypto map vpn


interface Dialer1

ip address negotiated

ip access-group INTERNET_INT_ACL in

ip mtu 1492

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname name

ppp chap password password

ppp pap sent-username name pasword word

crypto map vpn

I also have the required access-lists.

Thanks for any insights.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Thu, 07/26/2007 - 16:44

Very interesting question.

Do you want to encrypt the tunnel itself, or just traffic passing through the tunnel?

What I mean is if your access-list matches the gre-packets or some other traffic?

Normally you want to encrypt the gre tunnel and run that inside an ipsec tunnel, so I assume that.

Then my guess is that you have to apply the crypto-map to the dialer and the tunnel interfaces.

But you can also use tunnel-protection with the gre tunnel, it will save you some work and the headache. :-)

Check out IPSec Virtual Tunnel Interface. It is more scalable, especially if you have a hub-spoke scenario.

cybrsage Tue, 07/31/2007 - 05:03


Yes, my access-list matches the gre packets.

I will look up IPSec Virtual Tunnel Interface. I have hundreds of spokes and only two hubs.


This Discussion