One crypto map, different tunnel source addresses (secondary)

Unanswered Question
Feb 29th, 2008


I have two devices with two different (public) IP addresses (Cisco 2811 and Cisco 851), which both host some IPSec tunnels (IPSec/ESP/Tunnel mode). I want to move the 851's configuration to the 2811, and remove the 851 from the network. There is a crypto map assigned to the main outside interface of the 2811 with a few entries. The problem is that I cannot change any of the tunnel TEPs, so the IP address of the 851 must be moved onto the 2811 (as a secondary address). Is there anything I can do to use the secondary address as an IPSec tunnel source? Or do I have to do it using NAT and loopback interfaces?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sadbulali Thu, 03/06/2008 - 12:09

Source IP addresses for IKE for exchanges leaving out of the same physical interface, ie:

crypto map to-peer_a 10 ipsec-isakmp

set peer

set local-address loopback1 <-- new command

match address 100

crypto map to-peer_a 20 ipsec-isakmp

set peer

set local-address loopback2 <-- new command

match address 101

Current code allows to specify a local-address for each crypto map only, and not on a per crypto map instance, as suggested above.


This Discussion