Multiple Crypto Maps on one interface.

Unanswered Question
Apr 17th, 2009

I don't know if this is the correct place to ask this question, but I hope someone can help.

I would like to know if it is possible to have different encryption/IPSEC/SA schemes on one interface, without using tunneling?

Right now I am using Policy Based Routing to send traffic to different tunnels and applying a different crypto map to each of the tunnels. I see each tunnel wrapped in GRE, with an ESP payload.

Is it possible to define a crypto map so that the traffic all goes out the same interface (get rid of the GRE), but has different Security Association? (My management has asked me to try.) I couldn't figure out how to do it without tunneling, but someone mentioned that it may be possible using the crypto map to encrypt some traffic (eg Port 1041) with one crypto scheme, and other traffic with another.

I hope this makes sense. Thanks in advance for any help you can provide.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
srue Fri, 04/17/2009 - 11:44

i couldn't follow exactly what you're asking for, but you could create loopbacks and associate different crypto maps with them.

bobbymcgill Fri, 04/17/2009 - 12:19

Pardon my ignorance on the usage of the term "loopback" in relation to routers. Does it mean the same as with a PC loopback?

I actually want to pass traffic between 2 routers, across a physical interface. I have attached a PDF drawing of what we are doing now. Each Tunnel has a separate Crypto Map.

Is it possible to configure something similar in function WITHOUT using tunnels? So each stream of traffic gets a different encryption scheme? (These are questions posed by my management.)

They are concerned with the extra bytes added by the GRE header for each tunnel.

Richard Burts Fri, 04/17/2009 - 13:19


I can not think of a way to do what you describe without tunnels. You can have only a single crypto map per interface. So without tunnels you have only a single outbound interface (at least that is what your diagram shows) and that can have only a single crypto map.

Within a crypto map you can configure different encryption schemes by configuring several instances within the crypto map with different encryption scheme per instance. But the instance of the crypto map is chosen per peer. So I do not see a way to do different encryption schemes to a single peer.



bobbymcgill Fri, 04/17/2009 - 13:32

Within a crypto map you can configure different encryption schemes by configuring several instances within the crypto map with different encryption scheme per instance.

That part sounds interesting. I am still learning my way around the Cisco site. Is there anywhere you could point me to on setting something like that up?


Jon Marshall Fri, 04/17/2009 - 14:17


I have never configured individual ports within the crypto map so you need to test this but the config would look something like -

from the perspective of router on left in your diagram -

crypto ipsec transform-set desmd5 esp-des esp-md5-hmac

crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac

crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac



crypto map vpn-set 1 ipsec-isakmp

set peer

set transform-set desmd5

match address 120


crypto map vpn-set 2 ipsec-isakmp

set peer

set transform-set 3desmd5

match address 121


crypto map vpn-set 3 ipsec-isakmp

set peer

set transform-set 3dessha

match address 122

access-list 120 permit udp eq 1040

access-list 121 permit udp eq 5000

access-list 122 permit udp eq 5050

Attached is a link to a lot of config examples for IPSEC -


bobbymcgill Fri, 04/24/2009 - 06:58

Jon - thanks so much for taking the time to give such a detailed answer. This is precisely what we would like to implement. I configured the router based on your information.

Using Wireshark, I am able to view the traffic between routers. I can see the Security Association packets (ISAKMP) go back and forth, and the routers also say that the SA is established. I can ping from any host to any host, and also communicate unencrypted between hosts on all the ports EXCEPT the ones listed.

It seems that the routers are dropping the packets. ex: Client sends packets on port 5000, router interface is dropping them, because they never come out of I see the counters on the IP Access-Lists getting incremented, so I know the router sees the packets.

Do you have any idea why only the packets that I want encrypted are dropped, yet all others go through unencrypted?

Again - thanks for your help.

Jon Marshall Fri, 04/24/2009 - 07:23


Can you

1) try and connect from to a 10.20.0.x client on port 5000 & 5050. Then can you post the output of

sh crypto ipsec sa

sh crypto isakmp sa

2) Can you also post the running config of both routers


bobbymcgill Fri, 04/24/2009 - 12:53

Jon - I was talking this over with a co-worker and we made a slight adjustment to your original ACLs. We simply made them look like this:

access-list 170 permit udp any any port = 1040

access-list 170 permit udp any port = 1040 any

(ACLs for other ports also adjusted)

Now it works just as I hoped!

Only the named ports get encrypted, everything else is in the clear. Thanks so much for all your help!!

I don't know where to click to mark this issue resolved - but I consider it DONE!

Jon Marshall Fri, 04/24/2009 - 13:26


Really pleased you got it working and glad to be of help. Not sure why you needed to use any in the acl's but at least it is working.

Thanks for letting me know.



This Discussion