How to add a second peer to a crypto map

Unanswered Question
Feb 23rd, 2009

Hi,

My current config is between 2 876 routers that connect with a GRE IPsec tunnel. I need to add a 3rd router in the setup and my question is the following:

1. From inside the crypto map can I set a second peer or is it better to create a copy of my current crypto map with a different sequence number and define there the second peer?

i.e. my current config is

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to x2

set peer x2

set transform-set ESP-3DES-SHA

match address 100

In the first case I simply add a second peer inside the crypto map.

In the second case i create the same crypto map with sequence number 10 as shown below

crypto map SDM_CMAP_1 10 ipsec-isakmp

description Tunnel to x3

set peer x3

set transform-set ESP-3DES-SHA

match address 100

Many thanks

themis

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 02/23/2009 - 10:27

Themis

It depends on what you want to achieve.

If you only want the 3rd router to be used as a backup in case of failure then add it as a second peer inside the crypto map because only one peer will be used at any one time.

If you want to have tunnels between all 3 routers up and running at same time then you need a separate crypto map entry.

Jon

tnikoletos Mon, 02/23/2009 - 11:27

Hi John,

Question. I use the same crypto map name, i.e. SDM_CMAP_1 for my new router, correct?

Also i create a new tunnel, i add an extra ip route for the new peer and i add a isakamp key for that peer, right?

Anything else?

many thanks,

themis

Jon Marshall Mon, 02/23/2009 - 12:11

"Question. I use the same crypto map name, i.e. SDM_CMAP_1 for my new router, correct?"

If you mean on your existing device then yes you have to because you can only apply one crypto map to an interface so as you say you just need to use another index number.

if you mean on the new router then call it what you like altho to standardise it would be a good idea to use the same naming system.

"Also i create a new tunnel, i add an extra ip route for the new peer and i add a isakamp key for that peer, right?"

Pretty much. You will need another crypto map access-list to define the remote and local subnets.

Jon

Actions

This Discussion