Multiple Crypto Maps on one interface.

Unanswered Question
Apr 17th, 2009
User Badges:

I don't know if this is the correct place to ask this question, but I hope someone can help.


I would like to know if it is possible to have different encryption/IPSEC/SA schemes on one interface, without using tunneling?


Right now I am using Policy Based Routing to send traffic to different tunnels and applying a different crypto map to each of the tunnels. I see each tunnel wrapped in GRE, with an ESP payload.


Is it possible to define a crypto map so that the traffic all goes out the same interface (get rid of the GRE), but has different Security Association? (My management has asked me to try.) I couldn't figure out how to do it without tunneling, but someone mentioned that it may be possible using the crypto map to encrypt some traffic (eg Port 1041) with one crypto scheme, and other traffic with another.


I hope this makes sense. Thanks in advance for any help you can provide.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
srue Fri, 04/17/2009 - 11:44
User Badges:
  • Blue, 1500 points or more

i couldn't follow exactly what you're asking for, but you could create loopbacks and associate different crypto maps with them.

bobbymcgill Fri, 04/17/2009 - 12:19
User Badges:

Pardon my ignorance on the usage of the term "loopback" in relation to routers. Does it mean the same as with a PC loopback?


I actually want to pass traffic between 2 routers, across a physical interface. I have attached a PDF drawing of what we are doing now. Each Tunnel has a separate Crypto Map.


Is it possible to configure something similar in function WITHOUT using tunnels? So each stream of traffic gets a different encryption scheme? (These are questions posed by my management.)


They are concerned with the extra bytes added by the GRE header for each tunnel.



Richard Burts Fri, 04/17/2009 - 13:19
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bobby


I can not think of a way to do what you describe without tunnels. You can have only a single crypto map per interface. So without tunnels you have only a single outbound interface (at least that is what your diagram shows) and that can have only a single crypto map.


Within a crypto map you can configure different encryption schemes by configuring several instances within the crypto map with different encryption scheme per instance. But the instance of the crypto map is chosen per peer. So I do not see a way to do different encryption schemes to a single peer.


HTH


Rick

bobbymcgill Fri, 04/17/2009 - 13:32
User Badges:

Within a crypto map you can configure different encryption schemes by configuring several instances within the crypto map with different encryption scheme per instance.


That part sounds interesting. I am still learning my way around the Cisco site. Is there anywhere you could point me to on setting something like that up?

Thanks!

Jon Marshall Fri, 04/17/2009 - 14:17
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bobby


I have never configured individual ports within the crypto map so you need to test this but the config would look something like -


from the perspective of router on left in your diagram -



crypto ipsec transform-set desmd5 esp-des esp-md5-hmac

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac


crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac

!

!

crypto map vpn-set 1 ipsec-isakmp

set peer 10.100.0.2

set transform-set desmd5

match address 120

!


crypto map vpn-set 2 ipsec-isakmp

set peer 10.100.0.2

set transform-set 3desmd5

match address 121

!


crypto map vpn-set 3 ipsec-isakmp

set peer 10.100.0.2

set transform-set 3dessha

match address 122


access-list 120 permit udp 10.30.0.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 1040


access-list 121 permit udp 10.30.0.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 5000


access-list 122 permit udp 10.30.0.0 0.0.0.255 10.20.0.0 0.0.0.255 eq 5050


Attached is a link to a lot of config examples for IPSEC -


http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html


Jon

bobbymcgill Fri, 04/24/2009 - 06:58
User Badges:

Jon - thanks so much for taking the time to give such a detailed answer. This is precisely what we would like to implement. I configured the router based on your information.


Using Wireshark, I am able to view the traffic between routers. I can see the Security Association packets (ISAKMP) go back and forth, and the routers also say that the SA is established. I can ping from any host to any host, and also communicate unencrypted between hosts on all the ports EXCEPT the ones listed.


It seems that the routers are dropping the packets. ex: Client 10.30.0.10 sends packets on port 5000, router interface 10.30.0.1 is dropping them, because they never come out of 10.100.0.1. I see the counters on the IP Access-Lists getting incremented, so I know the router sees the packets.


Do you have any idea why only the packets that I want encrypted are dropped, yet all others go through unencrypted?


Again - thanks for your help.

Jon Marshall Fri, 04/24/2009 - 07:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bobby


Can you


1) try and connect from 10.30.0.1 to a 10.20.0.x client on port 5000 & 5050. Then can you post the output of


sh crypto ipsec sa

sh crypto isakmp sa


2) Can you also post the running config of both routers


Jon

bobbymcgill Fri, 04/24/2009 - 12:53
User Badges:

Jon - I was talking this over with a co-worker and we made a slight adjustment to your original ACLs. We simply made them look like this:

access-list 170 permit udp any any port = 1040

access-list 170 permit udp any port = 1040 any


(ACLs for other ports also adjusted)


Now it works just as I hoped!

Only the named ports get encrypted, everything else is in the clear. Thanks so much for all your help!!


I don't know where to click to mark this issue resolved - but I consider it DONE!

Jon Marshall Fri, 04/24/2009 - 13:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bobby


Really pleased you got it working and glad to be of help. Not sure why you needed to use any in the acl's but at least it is working.


Thanks for letting me know.


Jon

Actions

This Discussion