How to add a second peer to a crypto map

Unanswered Question
Feb 23rd, 2009
User Badges:

Hi,

My current config is between 2 876 routers that connect with a GRE IPsec tunnel. I need to add a 3rd router in the setup and my question is the following:


1. From inside the crypto map can I set a second peer or is it better to create a copy of my current crypto map with a different sequence number and define there the second peer?


i.e. my current config is


crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to x2

set peer x2

set transform-set ESP-3DES-SHA

match address 100


In the first case I simply add a second peer inside the crypto map.


In the second case i create the same crypto map with sequence number 10 as shown below


crypto map SDM_CMAP_1 10 ipsec-isakmp

description Tunnel to x3

set peer x3

set transform-set ESP-3DES-SHA

match address 100


Many thanks

themis

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jon Marshall Mon, 02/23/2009 - 10:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Themis


It depends on what you want to achieve.


If you only want the 3rd router to be used as a backup in case of failure then add it as a second peer inside the crypto map because only one peer will be used at any one time.


If you want to have tunnels between all 3 routers up and running at same time then you need a separate crypto map entry.


Jon

tnikoletos Mon, 02/23/2009 - 11:27
User Badges:

Hi John,


Question. I use the same crypto map name, i.e. SDM_CMAP_1 for my new router, correct?


Also i create a new tunnel, i add an extra ip route for the new peer and i add a isakamp key for that peer, right?


Anything else?


many thanks,

themis


Jon Marshall Mon, 02/23/2009 - 12:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"Question. I use the same crypto map name, i.e. SDM_CMAP_1 for my new router, correct?"


If you mean on your existing device then yes you have to because you can only apply one crypto map to an interface so as you say you just need to use another index number.


if you mean on the new router then call it what you like altho to standardise it would be a good idea to use the same naming system.


"Also i create a new tunnel, i add an extra ip route for the new peer and i add a isakamp key for that peer, right?"


Pretty much. You will need another crypto map access-list to define the remote and local subnets.


Jon

Actions

This Discussion