Crypto Map - Address Matching question

Unanswered Question
Jun 11th, 2009

Hi, I have three policies (see below)which make up a crypto map policy on a security device.

How does policy 10 match traffic if there is no "match address" statement? This is the peer I wish to edit but don't know how it is matching? Is there a default addressing match assumed?


crypto map MYCRYPTO_MAP 10 set peer 100.200.300.1

crypto map MYCRYPTO_MAP 10 set transform-set MY_TS_SET


crypto map MYCRYPTO_MAP 20 match address POLICY_ACL1

crypto map MYCRYPTO_MAP 20 set peer 100.200.300.50

crypto map MYCRYPTO_MAP 20 set transform-set MY_TS_SET


crypto map MYCRYPTO_MAP 30 match address POLICY_ACL2

crypto map MYCRYPTO_MAP 30 set peer 100.200.300.100

crypto map MYCRYPTO_MAP 30 set transform-set MY_TS_SET2


Many thanks,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srikantganesh Thu, 06/11/2009 - 06:53

A match address will be needed to specify interesting traffic.

Check if the VPN is even up.

Show crypto isakmp sa

Is it possible to test the VPN if it is not up?

srikantganesh Thu, 06/11/2009 - 07:14

under tunnel group for this vpn or the group policy is there any specific acl settings.

Can you post the tunnel group, group policy and crypto config for this vpn?

crazyhorse29 Thu, 06/11/2009 - 07:23

Hi Srikant,

No ACL settings...that is why I was wondering how the traffic is being matched? Is there a default setting?

Tunnel config below.

tunnel-group 100.200.300.1 type ipsec-l2l

tunnel-group 100.200.300.1 general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group 100.200.300.1 ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 10 retry 2



srikantganesh Thu, 06/11/2009 - 07:24

Can you also post he output for these commands

show crypto isakmp sa

show crypto ipsec sa

crazyhorse29 Thu, 06/11/2009 - 07:29

show crypto isakmp sa

4 IKE Peer: 100.200.300.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE


FW# show vpn-sessiondb detail l2l filter ipaddress 100.200.300.1

Session Type: LAN-to-LAN Detailed

Connection : 100.200.300.1

Index : 1 IP Addr : 100.200.300.1

Protocol : IPSecLAN2LAN Encryption : 3DES

Hashing : SHA1

Bytes Tx : 996874716 Bytes Rx : 622313494

Login Time : 10:40:07 UTC Thu Jun 11 2009

Duration : 4h:33m:13s

Filter Name :

IKE Sessions: 1

IPSec Sessions: 2


Session ID : 1

UDP Src Port : 500 UDP Dst Port : 500

IKE Neg Mode : Main Auth Mode : preSharedKeys

Encryption : AES256 Hashing : SHA1

Rekey Int (T): 86400 Seconds Rekey Left(T): 70008 Seconds

D/H Group : 2

srikantganesh Thu, 06/11/2009 - 07:33

try show ipsec sa peer 100.200.300.1

This should include the traffic it is encrypting/decrypting for this VPN

crazyhorse29 Thu, 06/11/2009 - 07:37

Thanks Srikant,

There appears to be a local and remote subnet listed for source and desintation but I cannot find where this is defined?

This is the point of my posting as I cannot locate where it is reading this information.

Kind Regards,


srue Thu, 06/11/2009 - 06:54

how is the other side configured? as a dynamic map?

crazyhorse29 Thu, 06/11/2009 - 07:15

Thanks Steven,

The other end is checkpoint firewall with both subnets A<-->B allowed in both directions to form the tunnel.

Best Regards,



This Discussion