cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
4
Helpful
2
Replies

Crypto map question

Hi

If I have 2 crypto maps defined on my pix 506E. Traffic of my first crypto map goes for tunnel 1 & traffic of my second interface goes for tunnel2.

I can't apply the command crypto map CCS interface outside & crypto map PLC interface outside.

I am able to apply only one.

How can I do to use both crypto maps?

crypto ipsec transform-set my_PLC esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto map PLC 30 ipsec-isakmp

crypto map PLC 30 match address PLC

crypto map PLC 30 set peer 10.10.10.1

crypto map PLC 30 set transform-set my_PLC

crypto map PLC interface outside

isakmp key ******* address 10.10.10.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

crypto ipsec transform-set my_ccs esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 86400

crypto map CCS 20 ipsec-isakmp

crypto map CCS 20 match address CCS

crypto map CCS 20 set peer 20.20.20.1

crypto map CCS 20 set transform-set my_ccs

crypto map CCS interface outside

isakmp key ****** address 20.20.20.1 netmask 255.255.255.255

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

2 Replies 2

jsjerkins
Level 1
Level 1

Crypto maps are like access list, one per direction,one per interface. Create a single crypto map to combine both previous crypto maps. An alternative is to maybe use GRE over ipsec and let a routing protocol select the best path for traffic and it will still be encrypted via the ipsec vpn.

Jon Marshall
Hall of Fame
Hall of Fame

Hi

You can only have one crypto map per interface but you can have separate entries within the same crypto map eg.

crypto map CCS 20 ipsec-isakmp

crypto map CCS 20 match address CCS

crypto map CCS 20 set peer 20.20.20.1

crypto map CCS 20 set transform-set my_ccs

crypto map CCS 30 ipsec-isakmp

crypto map CCS 30 match address PLC

crypto map CCS 30 set peer 10.10.10.1

crypto map CCS 30 set transform-set my_PLC

crypto map CCS interface outside

HTH

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: