crypto map

Answered Question
Sep 6th, 2007

I tried to change the ip of a wan link between a remote router and the main router. I did that and it seems to work. Then i ping and telnet to remote router and it was fine. Also i could ping the remote urers. Then the remote users called me and reported that they can not work in a program (database) locate near the main router.

After checking the problem i realised that on both link interfaces there was a crypto map with certain access-lists.

is that the problem?

How can i correct it?

Thanks

moses

I have this problem too.
0 votes
Correct Answer by Richard Burts about 9 years 3 months ago

Moses

If you remove the crypto map from the interfaces then whatever VPN was there would no longer function. Of course from your questions I believe that there is some possibility that it is not functioning (or not functioning completely) now. It would require more familiarity with your environment to know how much difference removing the VPN would make.

Knowing whether you need the crypto map in a private network with leased lines depends on what the requirements are within the private network. I can say that I recently did a project for a customer which was similar. It was within an enterprise network where the routers were connected by leased lines. Because of the type of data being transmitted the customer had a requirement that the data must be encrypted during transmission so we configured IPSec VPN with crypto maps on the interfaces to provide a VPN over the leased line connection.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
lgijssel Thu, 09/06/2007 - 02:50

The config looks like below:

crypto map ABCD 2 ipsec-isakmp

set peer 21.185.230.87 << this line

set transform-set ABCset

match address 128

The peer is the remote termination point for the VPN. You will have to modify the VPN peer setting on the other end of the VPN tunnel so that it points to the ip address of the router.

regards,

Leo

Richard Burts Thu, 09/06/2007 - 05:37

Moses

I believe that the suggestion by Leo that the issue may be the peer address is a good suggestion. Depending on how the crypto config was set up this may be an issue or may not (we do not know if the peering is to the physical outside interface (where it would be a problem) or is to some other address).

We do not know enough about the situation to be able to say whether the access list is an issue. The access list identifies what traffic is to be protected by IPSec. In some situations (especially if it is IPSec with GRE tunnels) the access list does reference the physical outside interface address and the access list would be a problem. But in some other implementations of IPSec the access list references the LAN addresses where the users are located and in this situation the access list would not be an issue.

Perhaps you can supply a bit more information about the environment and some details of how the crypto configuration is set up?

HTH

Rick

moses12315 Thu, 09/06/2007 - 07:39

Since i do not know this subject(i am only CCNA) can i for now remove this crypto map from both the interfaces and later when i have the knowledge ,do the proper work. Do you think that the system will work?

Do i need crypto map in a private network connected with leased lines?

Thanks again

moses

Correct Answer
Richard Burts Thu, 09/06/2007 - 07:58

Moses

If you remove the crypto map from the interfaces then whatever VPN was there would no longer function. Of course from your questions I believe that there is some possibility that it is not functioning (or not functioning completely) now. It would require more familiarity with your environment to know how much difference removing the VPN would make.

Knowing whether you need the crypto map in a private network with leased lines depends on what the requirements are within the private network. I can say that I recently did a project for a customer which was similar. It was within an enterprise network where the routers were connected by leased lines. Because of the type of data being transmitted the customer had a requirement that the data must be encrypted during transmission so we configured IPSec VPN with crypto maps on the interfaces to provide a VPN over the leased line connection.

HTH

Rick

lgijssel Thu, 09/06/2007 - 08:57

Moses, It is unlikely that this VPN was there for nothing. Hence I agree with Rick that simply removing the crypto-config isn't a good idea at all.

You should either try to fix it or perform a rollback of the changes that have already been done.

regards,

Leo

Richard Burts Thu, 09/06/2007 - 17:30

Moses

Thank you for using the rating system to indicate that you question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that they will read answers that resolved the question. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion