07-26-2007 06:40 AM - edited 03-09-2019 06:28 PM
Here is my scenario:
Site to Site VPN, Cisco 1811 Router to hub site through DSL at the remote (1811) site. Only one VPN from remote site.
When I setup the 1811 Router, which interfaces should I put the crypto map statement onto?
I have the following potential choices:
Ethernet0 (Outside Interface, points to DSL modem which is in bridge mode)
Dialer1 (PPOE in use, obtains live Internet address)
Tunnel100 (connects to the 7204VXR)
Should the crypto map statement go on 1, 2, or all three of them?
Here is part of the config:
vpdn-group dsl
request-dialin
protocol pppoe
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 5
lifetime 7200
crypto isakmp key somekey x.x.x.x
!
crypto ipsec transform-set secure esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 100 ipsec-isakmp
set peer x.x.x.x
set transform-set secure
match address 101
!
interface Tunnel100
ip address x.x.x.x x.x.x.x
ip tcp adjust-mss 1436
tunnel source Dialer1
tunnel destination x.x.x.x
crypto map vpn
!
interface Ethernet0
description ** Outside facing interface **
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex half
pppoe enable
pppoe-client dial-pool-number 1
arp timeout 300
no cdp enable
crypto map vpn
!
interface Dialer1
ip address negotiated
ip access-group INTERNET_INT_ACL in
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname name
ppp chap password password
ppp pap sent-username name pasword word
crypto map vpn
I also have the required access-lists.
Thanks for any insights.
07-26-2007 04:44 PM
Very interesting question.
Do you want to encrypt the tunnel itself, or just traffic passing through the tunnel?
What I mean is if your access-list matches the gre-packets or some other traffic?
Normally you want to encrypt the gre tunnel and run that inside an ipsec tunnel, so I assume that.
Then my guess is that you have to apply the crypto-map to the dialer and the tunnel interfaces.
But you can also use tunnel-protection with the gre tunnel, it will save you some work and the headache. :-)
Check out IPSec Virtual Tunnel Interface. It is more scalable, especially if you have a hub-spoke scenario.
07-31-2007 05:03 AM
Thanks!
Yes, my access-list matches the gre packets.
I will look up IPSec Virtual Tunnel Interface. I have hundreds of spokes and only two hubs.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: